subject:"\[squid\-users\] Default state for the option generate\-host\-certificates"

Re: [squid-users] Default state for the option generate-host-certificates

2016-10-29 Thread Amos Jeffries

On 29/10/2016 8:18 a.m., Garri Djavadyan wrote:
> On 2016-10-28 18:39, Yuri Voinov wrote:
>> It seems bug.
> 
> 
> On 2016-10-28 19:53, Alex Rousskov wrote:
>>> Is it a bug, documentation error or I simply missed something?
>>
>> It is a bug IMO. The documented intent sounds worth supporting to me.
> 
> 
> Thanks. I've opened the report [1].
> 
> [1] http://bugs.squid-cache.org/show_bug.cgi?id=4627
> 

Thanks. I've fixed the docs in Squid-3, will sho up whenever teh next
3.5 reease happens.

For Squid-4 I am making Squid actually have those defaults. That will go
in soon after the change passes pre-commit build testing.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Default state for the option generate-host-certificates

2016-10-28 Thread Garri Djavadyan


On 2016-10-28 18:39, Yuri Voinov wrote:

It seems bug.



On 2016-10-28 19:53, Alex Rousskov wrote:

Is it a bug, documentation error or I simply missed something?


It is a bug IMO. The documented intent sounds worth supporting to me.



Thanks. I've opened the report [1].

[1] http://bugs.squid-cache.org/show_bug.cgi?id=4627

Garri
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Default state for the option generate-host-certificates

2016-10-28 Thread Alex Rousskov

On 10/28/2016 06:56 AM, Garri Djavadyan wrote:

> The last sentence for generate-host-certificates[=] option
> paragraph states:
> 
>   This option is enabled by default when ssl-bump is used.

I see no [trunk] code to match that statement.

> Is it a bug, documentation error or I simply missed something?

It is a bug IMO. The documented intent sounds worth supporting to me.

Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Default state for the option generate-host-certificates

2016-10-28 Thread Yuri Voinov


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
It seems bug.

Just always specify option explicity.


28.10.2016 18:56, Garri Djavadyan пишет:
> Hello list,
>
> The last sentence for generate-host-certificates[=] option
> paragraph states:
>
>   This option is enabled by default when ssl-bump is used. See the
>   ssl-bump option above for more information.
>
> But a client can't negotiate secure connection and times out when the
> option is not specified explicitly. For example, with following config
> I get negotiation timeout:
>
> # diff etc/squid.conf.default etc/squid.conf
> 59c59
> < http_port 3128
> ---
>> http_port 3128 ssl-bump cert=/usr/local/squid35/etc/ssl_cert/myCA.pem
> 73a74,76
>> acl step1 at_step SslBump1
>> ssl_bump peek step1
>> ssl_bump bump all
>
> -
> $ https_proxy="127.0.0.1:3128" curl -v -k https://ya.ru/ > /dev/null
> *   Trying 127.0.0.1...
> * TCP_NODELAY set
>   % Total% Received % Xferd  Average
> Speed   TimeTime Time  Current
>  Dload  Upload   Total   SpentLeft
>  Speed
>   0 00 00 0  0  0 --:--:-- --:--:-- --:--:-
> - 0* Connected to 127.0.0.1 (127.0.0.1) port 3128 (#0)
> * Establish HTTP proxy tunnel to ya.ru:443
>> CONNECT ya.ru:443 HTTP/1.1
>> Host: ya.ru:443
>> User-Agent: curl/7.50.3
>> Proxy-Connection: Keep-Alive
>> 
> < HTTP/1.1 200 Connection established
> <
> * Proxy replied OK to CONNECT request
> * Initializing NSS with certpath: none
>   0 00 00 0  0  0 --:--:--  0:00:59 --:--:-
> - 0* NSS error -5938 (PR_END_OF_FILE_ERROR)
> * Encountered end of file
> * Curl_http_done: called premature == 1
>   0 00 00 0  0  0 --:--:--  0:01:00 --:--:-
> - 0
> * Closing connection 0
> curl: (35) Encountered end of file
>
>
>
> No problems, if the option specified explicitly:
>
> # diff etc/squid.conf.default etc/squid.conf
> 59c59,61
> < http_port 3128
> ---
>> http_port 3128 ssl-bump \
>>  cert=/usr/local/squid35/etc/ssl_cert/myCA.pem \
>>  generate-host-certificates
> 73a76,78
>> acl step1 at_step SslBump1
>> ssl_bump peek step1
>> ssl_bump bump all
>
>
> Is it a bug, documentation error or I simply missed something?
>
> Thanks.
>
> Garri
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

- -- 
Cats - delicious. You just do not know how to cook them.
-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJYE1UYAAoJENNXIZxhPexG6dkIAMEk7PLEQkBdOH9L4ZELMnjm
GalwtMVwpulVMtiiPWShL6GY9mUTZE33hVAjEq3Hw0xj82ZZjI6QsWxqsyq9RvBN
sXWsydx9C0OAULU8oFWW8sv4b8iUGCvW01U8ZxgjhKxVb0n+7BKmcnSk0nR8iXxO
2I6JKPP9nd20Bh5e0zKucmdVyNhkOGq00KJk4a8M7oxunbo0BkTKsOusd90hmjdD
5JRNbT5cJbyA2ZmEGdyi4fM9pNRuIk4WQe+/m3ycpbY8S6ySFEwe0tcW1+hQ5eoS
r16xhbMUtpseejUjRNWIzDO9H7ix57bugyW72oNPhrnEn96+d3vWUyUB+eNaR0E=
=hInQ
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Default state for the option generate-host-certificates

2016-10-28 Thread Garri Djavadyan

Hello list,

The last sentence for generate-host-certificates[=] option
paragraph states:

  This option is enabled by default when ssl-bump is used. See the
  ssl-bump option above for more information.

But a client can't negotiate secure connection and times out when the
option is not specified explicitly. For example, with following config
I get negotiation timeout:

# diff etc/squid.conf.default etc/squid.conf
59c59
< http_port 3128
---
> http_port 3128 ssl-bump cert=/usr/local/squid35/etc/ssl_cert/myCA.pem
73a74,76
> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump bump all

-
$ https_proxy="127.0.0.1:3128" curl -v -k https://ya.ru/ > /dev/null
*   Trying 127.0.0.1...
* TCP_NODELAY set
  % Total% Received % Xferd  Average
Speed   TimeTime Time  Current
 Dload  Upload   Total   SpentLeft 
 Speed
  0 00 00 0  0  0 --:--:-- --:--:-- --:--:-
- 0* Connected to 127.0.0.1 (127.0.0.1) port 3128 (#0)
* Establish HTTP proxy tunnel to ya.ru:443
> CONNECT ya.ru:443 HTTP/1.1
> Host: ya.ru:443
> User-Agent: curl/7.50.3
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 Connection established
< 
* Proxy replied OK to CONNECT request
* Initializing NSS with certpath: none
  0 00 00 0  0  0 --:--:--  0:00:59 --:--:-
- 0* NSS error -5938 (PR_END_OF_FILE_ERROR)
* Encountered end of file
* Curl_http_done: called premature == 1
  0 00 00 0  0  0 --:--:--  0:01:00 --:--:-
- 0
* Closing connection 0
curl: (35) Encountered end of file



No problems, if the option specified explicitly:

# diff etc/squid.conf.default etc/squid.conf
59c59,61
< http_port 3128
---
> http_port 3128 ssl-bump \
> cert=/usr/local/squid35/etc/ssl_cert/myCA.pem \
> generate-host-certificates
73a76,78
> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump bump all


Is it a bug, documentation error or I simply missed something?

Thanks.

Garri
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Default state for the option generate-host-certificates

Re: [squid-users] Default state for the option generate-host-certificates

Re: [squid-users] Default state for the option generate-host-certificates

Re: [squid-users] Default state for the option generate-host-certificates

[squid-users] Default state for the option generate-host-certificates

5 matches

Site Navigation

Mail list logo

Footer information