Re: [squid-users] Default state for the option generate-host-certificates
On 29/10/2016 8:18 a.m., Garri Djavadyan wrote: > On 2016-10-28 18:39, Yuri Voinov wrote: >> It seems bug. > > > On 2016-10-28 19:53, Alex Rousskov wrote: >>> Is it a bug, documentation error or I simply missed something? >> >> It is a bug IMO. The documented intent sounds worth supporting to me. > > > Thanks. I've opened the report [1]. > > [1] http://bugs.squid-cache.org/show_bug.cgi?id=4627 > Thanks. I've fixed the docs in Squid-3, will sho up whenever teh next 3.5 reease happens. For Squid-4 I am making Squid actually have those defaults. That will go in soon after the change passes pre-commit build testing. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Default state for the option generate-host-certificates
On 2016-10-28 18:39, Yuri Voinov wrote: It seems bug. On 2016-10-28 19:53, Alex Rousskov wrote: Is it a bug, documentation error or I simply missed something? It is a bug IMO. The documented intent sounds worth supporting to me. Thanks. I've opened the report [1]. [1] http://bugs.squid-cache.org/show_bug.cgi?id=4627 Garri ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Default state for the option generate-host-certificates
On 10/28/2016 06:56 AM, Garri Djavadyan wrote: > The last sentence for generate-host-certificates[=] option > paragraph states: > > This option is enabled by default when ssl-bump is used. I see no [trunk] code to match that statement. > Is it a bug, documentation error or I simply missed something? It is a bug IMO. The documented intent sounds worth supporting to me. Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Default state for the option generate-host-certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 It seems bug. Just always specify option explicity. 28.10.2016 18:56, Garri Djavadyan пишет: > Hello list, > > The last sentence for generate-host-certificates[=] option > paragraph states: > > This option is enabled by default when ssl-bump is used. See the > ssl-bump option above for more information. > > But a client can't negotiate secure connection and times out when the > option is not specified explicitly. For example, with following config > I get negotiation timeout: > > # diff etc/squid.conf.default etc/squid.conf > 59c59 > < http_port 3128 > --- >> http_port 3128 ssl-bump cert=/usr/local/squid35/etc/ssl_cert/myCA.pem > 73a74,76 >> acl step1 at_step SslBump1 >> ssl_bump peek step1 >> ssl_bump bump all > > - > $ https_proxy="127.0.0.1:3128" curl -v -k https://ya.ru/ > /dev/null > * Trying 127.0.0.1... > * TCP_NODELAY set > % Total% Received % Xferd Average > Speed TimeTime Time Current > Dload Upload Total SpentLeft > Speed > 0 00 00 0 0 0 --:--:-- --:--:-- --:--:- > - 0* Connected to 127.0.0.1 (127.0.0.1) port 3128 (#0) > * Establish HTTP proxy tunnel to ya.ru:443 >> CONNECT ya.ru:443 HTTP/1.1 >> Host: ya.ru:443 >> User-Agent: curl/7.50.3 >> Proxy-Connection: Keep-Alive >> > < HTTP/1.1 200 Connection established > < > * Proxy replied OK to CONNECT request > * Initializing NSS with certpath: none > 0 00 00 0 0 0 --:--:-- 0:00:59 --:--:- > - 0* NSS error -5938 (PR_END_OF_FILE_ERROR) > * Encountered end of file > * Curl_http_done: called premature == 1 > 0 00 00 0 0 0 --:--:-- 0:01:00 --:--:- > - 0 > * Closing connection 0 > curl: (35) Encountered end of file > > > > No problems, if the option specified explicitly: > > # diff etc/squid.conf.default etc/squid.conf > 59c59,61 > < http_port 3128 > --- >> http_port 3128 ssl-bump \ >> cert=/usr/local/squid35/etc/ssl_cert/myCA.pem \ >> generate-host-certificates > 73a76,78 >> acl step1 at_step SslBump1 >> ssl_bump peek step1 >> ssl_bump bump all > > > Is it a bug, documentation error or I simply missed something? > > Thanks. > > Garri > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users - -- Cats - delicious. You just do not know how to cook them. -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJYE1UYAAoJENNXIZxhPexG6dkIAMEk7PLEQkBdOH9L4ZELMnjm GalwtMVwpulVMtiiPWShL6GY9mUTZE33hVAjEq3Hw0xj82ZZjI6QsWxqsyq9RvBN sXWsydx9C0OAULU8oFWW8sv4b8iUGCvW01U8ZxgjhKxVb0n+7BKmcnSk0nR8iXxO 2I6JKPP9nd20Bh5e0zKucmdVyNhkOGq00KJk4a8M7oxunbo0BkTKsOusd90hmjdD 5JRNbT5cJbyA2ZmEGdyi4fM9pNRuIk4WQe+/m3ycpbY8S6ySFEwe0tcW1+hQ5eoS r16xhbMUtpseejUjRNWIzDO9H7ix57bugyW72oNPhrnEn96+d3vWUyUB+eNaR0E= =hInQ -END PGP SIGNATURE- 0x613DEC46.asc Description: application/pgp-keys ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Default state for the option generate-host-certificates
Hello list, The last sentence for generate-host-certificates[=] option paragraph states: This option is enabled by default when ssl-bump is used. See the ssl-bump option above for more information. But a client can't negotiate secure connection and times out when the option is not specified explicitly. For example, with following config I get negotiation timeout: # diff etc/squid.conf.default etc/squid.conf 59c59 < http_port 3128 --- > http_port 3128 ssl-bump cert=/usr/local/squid35/etc/ssl_cert/myCA.pem 73a74,76 > acl step1 at_step SslBump1 > ssl_bump peek step1 > ssl_bump bump all - $ https_proxy="127.0.0.1:3128" curl -v -k https://ya.ru/ > /dev/null * Trying 127.0.0.1... * TCP_NODELAY set % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 0 00 00 0 0 0 --:--:-- --:--:-- --:--:- - 0* Connected to 127.0.0.1 (127.0.0.1) port 3128 (#0) * Establish HTTP proxy tunnel to ya.ru:443 > CONNECT ya.ru:443 HTTP/1.1 > Host: ya.ru:443 > User-Agent: curl/7.50.3 > Proxy-Connection: Keep-Alive > < HTTP/1.1 200 Connection established < * Proxy replied OK to CONNECT request * Initializing NSS with certpath: none 0 00 00 0 0 0 --:--:-- 0:00:59 --:--:- - 0* NSS error -5938 (PR_END_OF_FILE_ERROR) * Encountered end of file * Curl_http_done: called premature == 1 0 00 00 0 0 0 --:--:-- 0:01:00 --:--:- - 0 * Closing connection 0 curl: (35) Encountered end of file No problems, if the option specified explicitly: # diff etc/squid.conf.default etc/squid.conf 59c59,61 < http_port 3128 --- > http_port 3128 ssl-bump \ > cert=/usr/local/squid35/etc/ssl_cert/myCA.pem \ > generate-host-certificates 73a76,78 > acl step1 at_step SslBump1 > ssl_bump peek step1 > ssl_bump bump all Is it a bug, documentation error or I simply missed something? Thanks. Garri ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users