On 07.10.2015 16:48, Amos Jeffries wrote:
or

sslcrtvalidator_program cache=8192 ttl=240 /usr/lib64/squid/cert_valid.pl
sslcrtvalidator_children 12 startup=5 idle=1 concurrency=1

can I have a working sample of valid_cert.pl that results
in an "access denied" or any other error page of squid?
An ERR result from the helper should result in the invalid certificate
handling happening in Squid. Whether that results in a particular error
page (or not) depends on several things I'm not completely certain about.
Not really, there happens nothing different;

(it may bring this on any page that is ssl_bumped,
so I know the interface, because this here:
http://wiki.squid-cache.org/Features/SslServerCertValidator
is wrong;

Ah. I see the concurrency channel is not documented, but is being sent.
What Squid version are you using?
I'm using squid 3.4.10, the build from Eliezer
http://www1.ngtech.co.il/rpm/centos/6/x86_64/squid-3.4.10-1.el6.x86_64.rpm
and
http://www1.ngtech.co.il/rpm/centos/6/x86_64/squid-helpers-3.4.10-1.el6.x86_64.rpm

instead of
/usr/lib64/squid/cert_valid.pl
I used a bash-script with this content

#!/bin/bash

myprog 2>>/tmp/pre.log |/usr/lib64/squid/cert_valid.pl

and the C source of myprog:


#include<fcntl.h>
#include<stdio.h>
int main( int argc, char* argv[ ] )
{
         static char szBuf[ 260 ];
         int nLen;
         while( ( nLen = read( 0, (void*) szBuf, 256 ) )>   0 )
         {
                 write( 1, (void*) szBuf, nLen );
                 write( 2, (void*) szBuf, nLen );
         }
         return 0;
}
This helper is broken. The protocol here or even other helpers, has
never been to dump the input back to Squid.
be careful, this is part of the helper script above, to catch the content, whats sent to the helper ...
Input and output "lines" have different syntax and contents.
of course ...
so I got the ident content as stdout and stderr and there I catched e.g.
this:

<CATCH CONTENT>
0 cert_validate 3373 host=revoked.grc.com
cert_0=-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----
</CATCH CONTENT>

with this I could programme a correct certificate validator using OpenSSL,
but I MUST have a little bit more precise knowledge about the correct
interface;

can someone please explain how the 3373 of the CATCH CONTENT above is
calculated?
Documented in the wiki:
"Total size of the following request bytes taken by the key=pair
parameters."

That is the byte size of the "host=...END CERTIFICATE-----" key-pair
part of the message.
Ok, I'll try if something was kicked away ...
returns always "0 OK 0 \1"
what does \1 mean here?
\1 is the binary code (0x01) for end of line/message this helper
requires. We cannot use \n like other helpers since several \n are part
of the cert PEM format.

is this also true for requests this helper receives?

Thanks,
Walter

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Reply via email to