[squid-users] No valid signing SSL certificate configured for HTTPS_port [::]:3128 (SSL Bump)
Hi, I am facing an issue with Squid 3.5 with SSL Bump configuration, i already configure it without SSL bump and it works fine. but after configuring intercept process it shows the below error: *No valid signing SSL certificate configured for HTTPS_port [::]:3128* below snippet from the Squid configuration file: *https_port 3128 intercept ssl-bump \* * generate-host-certificates=on \* * dynamic_cert_mem_cache_size=4MB \* * cert=/etc/squid/ssl_cert/myCA.pem* *# For squid 3.5.x* *sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB* *acl step1 at_step SslBump1* *ssl_bump peek step1* *ssl_bump bump all* i used the below link as guid in creating the certificate: http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit moreover, below are the result for squid -k command: 2017/05/09 09:38:26| Startup: Initializing Authentication Schemes ... 2017/05/09 09:38:26| Startup: Initialized Authentication Scheme 'basic' 2017/05/09 09:38:26| Startup: Initialized Authentication Scheme 'digest' 2017/05/09 09:38:26| Startup: Initialized Authentication Scheme 'negotiate' 2017/05/09 09:38:26| Startup: Initialized Authentication Scheme 'ntlm' 2017/05/09 09:38:26| Startup: Initialized Authentication. 2017/05/09 09:38:26| Processing Configuration File: /etc/squid/squid.conf (depth 0) 2017/05/09 09:38:26| Processing: acl localnet src 172.16.10.0/24# RFC1918 possible internal network 2017/05/09 09:38:26| Processing: acl localnet src 192.168.0.0/16# RFC1918 possible internal network 2017/05/09 09:38:26| Processing: acl localnet src fc00::/7 # RFC 4193 local private network range 2017/05/09 09:38:26| Processing: acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines 2017/05/09 09:38:26| Processing: acl SSL_ports port 443 2017/05/09 09:38:26| Processing: acl Safe_ports port 80 # http 2017/05/09 09:38:26| Processing: acl Safe_ports port 21 # ftp 2017/05/09 09:38:26| Processing: acl Safe_ports port 443# https 2017/05/09 09:38:26| Processing: acl Safe_ports port 70 # gopher 2017/05/09 09:38:26| Processing: acl Safe_ports port 210# wais 2017/05/09 09:38:26| Processing: acl Safe_ports port 1025-65535 # unregistered ports 2017/05/09 09:38:26| Processing: acl Safe_ports port 280# http-mgmt 2017/05/09 09:38:26| Processing: acl Safe_ports port 488# gss-http 2017/05/09 09:38:26| Processing: acl Safe_ports port 591# filemaker 2017/05/09 09:38:26| Processing: acl Safe_ports port 777# multiling http 2017/05/09 09:38:26| Processing: acl CONNECT method CONNECT 2017/05/09 09:38:26| Processing: http_access deny !Safe_ports 2017/05/09 09:38:26| Processing: http_access deny CONNECT !SSL_ports 2017/05/09 09:38:26| Processing: http_access allow localhost manager 2017/05/09 09:38:26| Processing: http_access deny manager 2017/05/09 09:38:26| Processing: http_access allow localnet 2017/05/09 09:38:26| Processing: http_access allow localhost 2017/05/09 09:38:26| Processing: http_access deny all 2017/05/09 09:38:26| Processing: https_port 3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myCA.pem 2017/05/09 09:38:26| Starting Authentication on port [::]:3128 2017/05/09 09:38:26| Disabling Authentication on port [::]:3128 (interception enabled) 2017/05/09 09:38:26| Processing: sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB 2017/05/09 09:38:26| Processing: acl step1 at_step SslBump1 2017/05/09 09:38:26| Processing: ssl_bump peek step1 2017/05/09 09:38:26| Processing: ssl_bump bump all 2017/05/09 09:38:26| Processing: cache_dir ufs /var/spool/squid 100 16 256 2017/05/09 09:38:26| Processing: coredump_dir /var/spool/squid 2017/05/09 09:38:26| Processing: refresh_pattern ^ftp: 144020% 10080 2017/05/09 09:38:26| Processing: refresh_pattern ^gopher: 14400% 1440 2017/05/09 09:38:26| Processing: refresh_pattern -i (/cgi-bin/|\?) 00% 0 2017/05/09 09:38:26| Processing: refresh_pattern . 0 20% 4320 2017/05/09 09:38:26| Initializing https proxy context 2017/05/09 09:38:26| Initializing https_port [::]:3128 SSL context 2017/05/09 09:38:26| Using certificate in /etc/squid/ssl_cert/myCA.pem FATAL: No valid signing SSL certificate configured for HTTPS_port [::]:3128 Squid Cache (Version 3.5.20): Terminated abnormally. CPU Usage: 0.027 seconds = 0.013 user + 0.014 sys Maximum Resident Size: 37264 KB Page faults with physical i/o: 0 I already do googling for this issue, and i found similar issue and it was solved by setting SELinux to permissive and reboot. i already did the same but its still not working. pleas advice Thanks and Regards, Mohammed AL-Jakri ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Squid SSL-bump - Not working - No errors
Dears, I am setting the SSL-bump for squid 3.5 on CentOS 7, I already generated ssl certificate with the below commands: *OPENSSL=/usr/bin/openssl* *SSLDIR=/etc/mydlp/ssl* *mkdir -p $SSLDIR || exit 1* *rm -rf $SSLDIR/** *[ -e $SSLDIR/private.pem ] || $OPENSSL genrsa 4096 > $SSLDIR/private.pem* *[ -e $SSLDIR/public.pem ] || (echo -e "TR\nAnkara\nTechnopolis\nMyDLP\nMyDLP\n*\nsupp...@mydlp.com\n"| $OPENSSL req -new -x509 -days 3650 -key $SSLDIR/private.pem -out $SSLDIR/public.pem)* *[ -e $SSLDIR/user.der ] || $OPENSSL x509 -in $SSLDIR/public.pem -outform DER -out $SSLDIR/user.der* In addition, below you can find snippet from squid.conf file: http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/etc/mydlp/ssl/private.pem cert=/etc/mydlp/ssl/public.pem always_direct allow all ssl_bump allow all sslproxy_cert_error allow all # Or may be deny all according to your company policy # sslproxy_cert_error deny all sslproxy_flags DONT_VERIFY_PEER sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB sslcrtd_children 5 In addition, I added user.der file in the certificate authority for the user machine. The problem that it’s not working. Moreover, Squid service restart without any issues. Also, please find the attached result for the squid configuration test. Appreciate your assistant. Mohammed M AlJakri [root@localhost ]# squid -k parse 2017/04/17 05:15:29| Startup: Initializing Authentication Schemes ... 2017/04/17 05:15:29| Startup: Initialized Authentication Scheme 'basic' 2017/04/17 05:15:29| Startup: Initialized Authentication Scheme 'digest' 2017/04/17 05:15:29| Startup: Initialized Authentication Scheme 'negotiate' 2017/04/17 05:15:29| Startup: Initialized Authentication Scheme 'ntlm' 2017/04/17 05:15:29| Startup: Initialized Authentication. 2017/04/17 05:15:29| Processing Configuration File: /etc/squid/squid.conf (depth 0) 2017/04/17 05:15:29| Processing: acl localnet src 192.168.10.0/24 # RFC1918 possible internal network 2017/04/17 05:15:29| Processing: acl localnet src 172.16.0.0/12 # RFC1918 possible internal network 2017/04/17 05:15:29| Processing: acl localnet src 192.168.1.0/24# RFC1918 possible internal network 2017/04/17 05:15:29| Processing: acl localnet src fc00::/7 # RFC 4193 local private network range 2017/04/17 05:15:29| Processing: acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines 2017/04/17 05:15:29| Processing: acl SSL_ports port 443 2017/04/17 05:15:29| Processing: acl Safe_ports port 80 # http 2017/04/17 05:15:29| Processing: acl Safe_ports port 21 # ftp 2017/04/17 05:15:29| Processing: acl Safe_ports port 443# https 2017/04/17 05:15:29| Processing: acl Safe_ports port 70 # gopher 2017/04/17 05:15:29| Processing: acl Safe_ports port 210# wais 2017/04/17 05:15:29| Processing: acl Safe_ports port 1025-65535 # unregistered ports 2017/04/17 05:15:29| Processing: acl Safe_ports port 280# http-mgmt 2017/04/17 05:15:29| Processing: acl Safe_ports port 488# gss-http 2017/04/17 05:15:29| Processing: acl Safe_ports port 591# filemaker 2017/04/17 05:15:29| Processing: acl Safe_ports port 777# multiling http 2017/04/17 05:15:29| Processing: acl CONNECT method CONNECT 2017/04/17 05:15:29| Processing: http_access deny !Safe_ports 2017/04/17 05:15:29| Processing: http_access deny CONNECT !SSL_ports 2017/04/17 05:15:29| Processing: http_access allow localhost manager 2017/04/17 05:15:29| Processing: http_access deny manager 2017/04/17 05:15:29| Processing: http_access allow localnet 2017/04/17 05:15:29| Processing: http_access allow localhost 2017/04/17 05:15:29| Processing: http_access allow all 2017/04/17 05:15:29| Processing: http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/etc/mydlp/ssl/private.pem cert=/etc/mydlp/ssl/public.pem 2017/04/17 05:15:29| Processing: always_direct allow all 2017/04/17 05:15:29| Processing: ssl_bump allow all 2017/04/17 05:15:29| SECURITY NOTICE: auto-converting deprecated "ssl_bump allow " to "ssl_bump client-first " which is usually inferior to the newer server-first bumping mode. Update your ssl_bump rules. 2017/04/17 05:15:29| Processing: sslproxy_cert_error allow all 2017/04/17 05:15:29| Processing: sslproxy_flags DONT_VERIFY_PEER 2017/04/17 05:15:29| Processing: sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB 2017/04/17 05:15:29| Processing: sslcrtd_children 5 2017/04/17 05:15:29| Processing: coredump_dir /var/spool/squid 2017/04/17 05:15:29| Processing: refresh_pattern ^ftp: 144020% 10080 2017/04/17 05:15:29| Processing: refresh_pattern ^gopher: 14400% 1440 2017/04/17 05:15:29| Processing: refresh_pattern -i (/cgi-bin/|\?) 00% 0 2017/04/17 05:15:29| Processing: refresh_pattern .
[squid-users] Squid proxy with ssl-bump - unrecognized: 'ssl-bump' error
Dears, Thanks for adding me to the list… I would like to install squid proxy with SSL bump, I am working on my Virtual lab and once everything is ok I will Test it on the real network. I already created I directory for the cert and generated the cert as below: #Generate Private Key openssl genrsa -out MSY.com.private 2048 # Create Certificate Signing Request openssl req -new -key MSY.com.private -out MSY.com.csr # Sign Certificate openssl x509 -req -days 3652 -in MSY.com.csr -signkey MSY.com.private -out MSY.com.cert # Generate certificate cache /usr/lib64/squid/ssl_crtd -c -s /var/lib/ssl_db # Change ownership of the certificate cache chown squid: /var/lib/ssl_db then I fill the info and put the 'Common Name' something other than the domain or server_name. in addition, please find the below lines from the squid configuration file: # Squid listen Port http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/etc/squid/MSY.com.private cert=/etc/squid/MSY.com.cert # SSL Bump Config always_direct allow all ssl_bump server-first all sslproxy_cert_error deny all sslproxy_flags DONT_VERIFY_PEER sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB sslcrtd_children 8 startup=1 idle=1 and it’s not working with SSL bump configuration, it work only when I remove the ssl bump configuration but for sure without ssl certificate. also i check the journalctl -xe and found the below error: /etc/squid/squid.conf:3 unrecognized: 'ssl-bump' any ideas ? Regards ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users