from:"Mohammed al\-jakry"

[squid-users] No valid signing SSL certificate configured for HTTPS_port [::]:3128 (SSL Bump)

2017-05-09 Thread Mohammed al-jakry

Hi,

I am facing an issue with Squid 3.5 with SSL Bump configuration, i already
configure it without SSL bump and it works fine. but after configuring
intercept process it shows the below error:

*No valid signing SSL certificate configured for HTTPS_port [::]:3128*

below snippet from the Squid configuration file:

*https_port 3128 intercept ssl-bump \*
*  generate-host-certificates=on \*
*  dynamic_cert_mem_cache_size=4MB \*
*  cert=/etc/squid/ssl_cert/myCA.pem*

*# For squid 3.5.x*
*sslcrtd_program /usr/lib64/squid/ssl_crtd  -s /var/lib/ssl_db -M 4MB*


*acl step1 at_step SslBump1*
*ssl_bump peek step1*
*ssl_bump bump all*

i used the below link as guid in creating the certificate:
http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

moreover, below are the result for squid -k command:

2017/05/09 09:38:26| Startup: Initializing Authentication Schemes ...
2017/05/09 09:38:26| Startup: Initialized Authentication Scheme 'basic'
2017/05/09 09:38:26| Startup: Initialized Authentication Scheme 'digest'
2017/05/09 09:38:26| Startup: Initialized Authentication Scheme 'negotiate'
2017/05/09 09:38:26| Startup: Initialized Authentication Scheme 'ntlm'
2017/05/09 09:38:26| Startup: Initialized Authentication.
2017/05/09 09:38:26| Processing Configuration File: /etc/squid/squid.conf
(depth 0)
2017/05/09 09:38:26| Processing: acl localnet src 172.16.10.0/24#
RFC1918 possible internal network
2017/05/09 09:38:26| Processing: acl localnet src 192.168.0.0/16#
RFC1918 possible internal network
2017/05/09 09:38:26| Processing: acl localnet src fc00::/7   # RFC 4193
local private network range
2017/05/09 09:38:26| Processing: acl localnet src fe80::/10  # RFC 4291
link-local (directly plugged) machines
2017/05/09 09:38:26| Processing: acl SSL_ports port 443
2017/05/09 09:38:26| Processing: acl Safe_ports port 80 # http
2017/05/09 09:38:26| Processing: acl Safe_ports port 21 # ftp
2017/05/09 09:38:26| Processing: acl Safe_ports port 443#
https
2017/05/09 09:38:26| Processing: acl Safe_ports port 70 # gopher
2017/05/09 09:38:26| Processing: acl Safe_ports port 210#
wais
2017/05/09 09:38:26| Processing: acl Safe_ports port 1025-65535 #
unregistered ports
2017/05/09 09:38:26| Processing: acl Safe_ports port 280#
http-mgmt
2017/05/09 09:38:26| Processing: acl Safe_ports port 488#
gss-http
2017/05/09 09:38:26| Processing: acl Safe_ports port 591#
filemaker
2017/05/09 09:38:26| Processing: acl Safe_ports port 777#
multiling http
2017/05/09 09:38:26| Processing: acl CONNECT method CONNECT
2017/05/09 09:38:26| Processing: http_access deny !Safe_ports
2017/05/09 09:38:26| Processing: http_access deny CONNECT !SSL_ports
2017/05/09 09:38:26| Processing: http_access allow localhost manager
2017/05/09 09:38:26| Processing: http_access deny manager
2017/05/09 09:38:26| Processing: http_access allow localnet
2017/05/09 09:38:26| Processing: http_access allow localhost
2017/05/09 09:38:26| Processing: http_access deny all
2017/05/09 09:38:26| Processing: https_port 3128 intercept ssl-bump
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
cert=/etc/squid/ssl_cert/myCA.pem
2017/05/09 09:38:26| Starting Authentication on port [::]:3128
2017/05/09 09:38:26| Disabling Authentication on port [::]:3128
(interception enabled)
2017/05/09 09:38:26| Processing: sslcrtd_program /usr/lib64/squid/ssl_crtd
 -s /var/lib/ssl_db -M 4MB
2017/05/09 09:38:26| Processing: acl step1 at_step SslBump1
2017/05/09 09:38:26| Processing: ssl_bump peek step1
2017/05/09 09:38:26| Processing: ssl_bump bump all
2017/05/09 09:38:26| Processing: cache_dir ufs /var/spool/squid 100 16 256
2017/05/09 09:38:26| Processing: coredump_dir /var/spool/squid
2017/05/09 09:38:26| Processing: refresh_pattern ^ftp:  144020%
10080
2017/05/09 09:38:26| Processing: refresh_pattern ^gopher:   14400%
 1440
2017/05/09 09:38:26| Processing: refresh_pattern -i (/cgi-bin/|\?) 00%
 0
2017/05/09 09:38:26| Processing: refresh_pattern .  0   20%
4320
2017/05/09 09:38:26| Initializing https proxy context
2017/05/09 09:38:26| Initializing https_port [::]:3128 SSL context
2017/05/09 09:38:26| Using certificate in /etc/squid/ssl_cert/myCA.pem
FATAL: No valid signing SSL certificate configured for HTTPS_port [::]:3128
Squid Cache (Version 3.5.20): Terminated abnormally.
CPU Usage: 0.027 seconds = 0.013 user + 0.014 sys
Maximum Resident Size: 37264 KB
Page faults with physical i/o: 0

I already do googling for this issue, and i found similar issue and it was
solved by setting SELinux to permissive and reboot. i already did the same
but its still not working. pleas advice

Thanks and Regards,

Mohammed AL-Jakri
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid SSL-bump - Not working - No errors

2017-04-16 Thread Mohammed al-jakry

Dears,



I am setting the SSL-bump for squid 3.5 on CentOS 7, I already generated
ssl certificate with the below commands:



*OPENSSL=/usr/bin/openssl*

*SSLDIR=/etc/mydlp/ssl*

*mkdir -p $SSLDIR || exit 1*

*rm -rf $SSLDIR/**

*[ -e $SSLDIR/private.pem ] || $OPENSSL genrsa 4096 > $SSLDIR/private.pem*

*[ -e $SSLDIR/public.pem ] || (echo -e
"TR\nAnkara\nTechnopolis\nMyDLP\nMyDLP\n*\nsupp...@mydlp.com
\n"| $OPENSSL req -new -x509 -days 3650 -key
$SSLDIR/private.pem -out $SSLDIR/public.pem)*

*[ -e $SSLDIR/user.der ] || $OPENSSL x509 -in $SSLDIR/public.pem -outform
DER -out $SSLDIR/user.der*



In addition, below you can find snippet from squid.conf file:



http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB key=/etc/mydlp/ssl/private.pem
cert=/etc/mydlp/ssl/public.pem

always_direct allow all
ssl_bump allow all
sslproxy_cert_error allow all
# Or may be deny all according to your company policy
# sslproxy_cert_error deny all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 5



In addition, I added user.der file in the certificate authority for the
user machine. The problem that it’s not working. Moreover, Squid service
restart without any issues. Also, please find the attached result for the
squid configuration test.



Appreciate your assistant.



Mohammed M AlJakri
[root@localhost ]# squid -k parse
2017/04/17 05:15:29| Startup: Initializing Authentication Schemes ...
2017/04/17 05:15:29| Startup: Initialized Authentication Scheme 'basic'
2017/04/17 05:15:29| Startup: Initialized Authentication Scheme 'digest'
2017/04/17 05:15:29| Startup: Initialized Authentication Scheme 'negotiate'
2017/04/17 05:15:29| Startup: Initialized Authentication Scheme 'ntlm'
2017/04/17 05:15:29| Startup: Initialized Authentication.
2017/04/17 05:15:29| Processing Configuration File: /etc/squid/squid.conf 
(depth 0)
2017/04/17 05:15:29| Processing: acl localnet src 192.168.10.0/24   # 
RFC1918 possible internal network
2017/04/17 05:15:29| Processing: acl localnet src 172.16.0.0/12 # RFC1918 
possible internal network
2017/04/17 05:15:29| Processing: acl localnet src 192.168.1.0/24# 
RFC1918 possible internal network
2017/04/17 05:15:29| Processing: acl localnet src fc00::/7   # RFC 4193 
local private network range
2017/04/17 05:15:29| Processing: acl localnet src fe80::/10  # RFC 4291 
link-local (directly plugged) machines
2017/04/17 05:15:29| Processing: acl SSL_ports port 443
2017/04/17 05:15:29| Processing: acl Safe_ports port 80 # http
2017/04/17 05:15:29| Processing: acl Safe_ports port 21 # ftp
2017/04/17 05:15:29| Processing: acl Safe_ports port 443# https
2017/04/17 05:15:29| Processing: acl Safe_ports port 70 # gopher
2017/04/17 05:15:29| Processing: acl Safe_ports port 210# wais
2017/04/17 05:15:29| Processing: acl Safe_ports port 1025-65535 # unregistered 
ports
2017/04/17 05:15:29| Processing: acl Safe_ports port 280# 
http-mgmt
2017/04/17 05:15:29| Processing: acl Safe_ports port 488# 
gss-http
2017/04/17 05:15:29| Processing: acl Safe_ports port 591# 
filemaker
2017/04/17 05:15:29| Processing: acl Safe_ports port 777# 
multiling http
2017/04/17 05:15:29| Processing: acl CONNECT method CONNECT
2017/04/17 05:15:29| Processing: http_access deny !Safe_ports
2017/04/17 05:15:29| Processing: http_access deny CONNECT !SSL_ports
2017/04/17 05:15:29| Processing: http_access allow localhost manager
2017/04/17 05:15:29| Processing: http_access deny manager
2017/04/17 05:15:29| Processing: http_access allow localnet
2017/04/17 05:15:29| Processing: http_access allow localhost
2017/04/17 05:15:29| Processing: http_access allow all
2017/04/17 05:15:29| Processing: http_port 3128 ssl-bump 
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB 
key=/etc/mydlp/ssl/private.pem cert=/etc/mydlp/ssl/public.pem
2017/04/17 05:15:29| Processing: always_direct allow all
2017/04/17 05:15:29| Processing: ssl_bump allow all
2017/04/17 05:15:29| SECURITY NOTICE: auto-converting deprecated "ssl_bump 
allow " to "ssl_bump client-first " which is usually inferior to the 
newer server-first bumping mode. Update your ssl_bump rules.
2017/04/17 05:15:29| Processing: sslproxy_cert_error allow all
2017/04/17 05:15:29| Processing: sslproxy_flags DONT_VERIFY_PEER
2017/04/17 05:15:29| Processing: sslcrtd_program /usr/lib64/squid/ssl_crtd -s 
/var/lib/ssl_db -M 4MB
2017/04/17 05:15:29| Processing: sslcrtd_children 5
2017/04/17 05:15:29| Processing: coredump_dir /var/spool/squid
2017/04/17 05:15:29| Processing: refresh_pattern ^ftp:  144020% 
10080
2017/04/17 05:15:29| Processing: refresh_pattern ^gopher:   14400%  
1440
2017/04/17 05:15:29| Processing: refresh_pattern -i (/cgi-bin/|\?) 00%  0
2017/04/17 05:15:29| Processing: refresh_pattern .

[squid-users] Squid proxy with ssl-bump - unrecognized: 'ssl-bump' error

2017-04-14 Thread Mohammed al-jakry




Dears, 

Thanks for adding me to the list…


I would like to install squid proxy with SSL bump, I am working on my Virtual 
lab and once everything is ok I will Test it on the real network. I already 
created I directory for the cert and generated the cert as below:
#Generate Private Key
openssl genrsa -out MSY.com.private 2048  

# Create Certificate Signing Request
openssl req -new -key MSY.com.private -out MSY.com.csr

# Sign Certificate
openssl x509 -req -days 3652 -in MSY.com.csr -signkey MSY.com.private -out 
MSY.com.cert
# Generate certificate cache
/usr/lib64/squid/ssl_crtd -c -s /var/lib/ssl_db
# Change ownership of the certificate cache
chown squid: /var/lib/ssl_db
then I fill the info and put the 'Common Name' something other than the domain 
or server_name. in addition, please find the below lines from the squid 
configuration file:
# Squid listen Port
http_port 3128  
ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB 
key=/etc/squid/MSY.com.private cert=/etc/squid/MSY.com.cert  
# SSL Bump Config
always_direct allow all  
ssl_bump server-first all  
sslproxy_cert_error deny all  
sslproxy_flags DONT_VERIFY_PEER  
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB 
sslcrtd_children 8 startup=1 idle=1 
and it’s not working with SSL bump configuration, it work only when I remove 
the ssl bump configuration but for sure without ssl certificate.
also i check the journalctl -xe and found the below error:
/etc/squid/squid.conf:3 unrecognized: 'ssl-bump'
any ideas ?


Regards
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] No valid signing SSL certificate configured for HTTPS_port [::]:3128 (SSL Bump)

[squid-users] Squid SSL-bump - Not working - No errors

[squid-users] Squid proxy with ssl-bump - unrecognized: 'ssl-bump' error

3 matches

Site Navigation

Mail list logo

Footer information