HTTPS woes

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
35 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Re: HTTPS woes

Yuri Voinov

I have automated cron job to refresh Mozilla CA's bundle by monthly basis.

Intermediate CA's, however, requires non-scheduled maintenance. I've maintain it by demand.


18.04.2017 20:17, Olly Lennox пишет:
Thanks Yuri! The Mozilla Bundle has worked!! Most of the major sites seem to be working which is all we need. How often do these certificates refresh? Would they need updating every month or so?
 
[hidden email]
lennox-it.uk
tel: 07900 648 252



From: Yuri Voinov [hidden email]
To: Olly Lennox [hidden email]; [hidden email] [hidden email]
Sent: Tuesday, 18 April 2017, 14:43
Subject: Re: [squid-users] HTTPS woes

You talked about two different things.
1. root CA usually built-in in clients. For standalone use, root CA (from Mozilla) usually distributes with openssl distributions. If you need (or your openssl distribution does not contains root CAs), you can find separately distributed Mozilla CA's by short googling:
2. Intermediate CA's is subordinate for roots CA. It does not exists by gouverned repository (because of supporting it is work, manual work and should be do by somebody), moreover, it spreaded across CA authorities. There is no automated tool to support this _intermediate_list. The problem also: intermediate CA's usuallu has much short validity period instead of roots, and should supports all time at time.
Finally - it you want to use Squid with SSL Bump, you should understand PKI infrastructure and yes - you should support root CA & intermediate CAs on proxy by yourself all time. There is no free or payment basis service which is do it for you.

18.04.2017 19:35, Olly Lennox пишет:
So anyone who wants to use Squid over HTTPS in the way has to build this repository themselves by manually downloading all the CA bundles?
 




From: Yuri [hidden email]
To: Olly Lennox [hidden email]; [hidden email] [hidden email]
Sent: Tuesday, 18 April 2017, 14:03
Subject: Re: [squid-users] HTTPS woes



18.04.2017 18:56, Olly Lennox пишет:
I'm using 

sslproxy_foreign_intermediate_certs

Is this the same thing?
No. You firstly required CA roots available for squid. CA roots and intermediate is the different things.

Also is there anywhere to get a bundle of all the major CA intermdiate certs or do you have to download them all manually?
No. You should build it by yourself.


Cheers,
 
[hidden email]
lennox-it.uk
tel: 07900 648 252



From: Yuri [hidden email]
To: [hidden email]
Sent: Tuesday, 18 April 2017, 13:51
Subject: Re: [squid-users] HTTPS woes

Try to specify roots CA bundle/dir explicity by specifying one of this
params:


#  TAG: sslproxy_cafile
#    file containing CA certificates to use when verifying server
#    certificates while proxying https:// URLs
#Default:
# none

#  TAG: sslproxy_capath
#    directory containing CA certificates to use when verifying
#    server certificates while proxying https:// URLs
#Default:
# none



18.04.2017 18:46, Olly Lennox пишет:
> Hi All,
>
> Still having problems here. This is my https config now:
>
>
> ---------------------------------https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/squid.crt key=/etc/squid3/ssl_cert/squid.key options=NO_SSLv3 dhparams=/etc/squid3/ssl_cert/dhparam.pem
>
> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump bump all
> sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
> sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
>
> sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB
> sslcrtd_children 8 startup=1 idle=1
>
> ---------------------------------
>
>
> I'm running version 3.5.23 with openssl 1.0. I've had to disable libecap because I couldn't build 3.5 with ecap enabled. I'm getting the following error when trying to connect with SSL:
>
> ---------------------------------
>
> The following error was encountered while trying to retrieve the URL: https://www.google.co.uk/*
>
> Failed to establish a secure connection to 216.58.198.67
>
> The system returned:
>
> (71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
> SSL Certficate error: certificate issuer (CA) not known: /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
>
> This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.
>
> Your cache administrator is webmaster.
>
> Generated Tue, 18 Apr 2017 12:23:40 GMT by raspberrypi (squid/3.5.23)
> ---------------------------------
>
> The CA is always listed as not known not matter what site I try I always get this error.
>
> Any ideas?
>
> Thanks,
>
> Olly
>
> ________________________________
> From: Olly Lennox <[hidden email]>
> To: Amos Jeffries <[hidden email]>; "[hidden email]" <[hidden email]>
> Sent: Sunday, 16 April 2017, 9:31
> Subject: Re: [squid-users] HTTPS woes
>
>
>
> Thanks Amos, it's finally built but I had to disabled ecap, for whatever reason this kept failing (with version 1.0.1 installed). It failed on a reference to the Area function I think but I don't have the error message copied. I'm trying now to configure the ssl stare/peek and will let you know how it goes.
>
> Olly

> [hidden email]
> lennox-it.uk
> tel: 07900 648 252
>
>
>
> ________________________________
> From: Amos Jeffries <[hidden email]>
> To: [hidden email]
> Sent: Saturday, 15 April 2017, 23:07
> Subject: Re: [squid-users] HTTPS woes
>
>
>
> On 15/04/2017 9:59 a.m., Olly Lennox wrote:
>> Hi Guys.
>> I'm still struggling with this. I'm trying to build a version of 3.5 but I just can't get it to work. I'm currently attempting to rebuild the stretch package with SSL enabled but build keeps failing with the following:
>> ../../src/ssl/gadgets.h:83:45: error: âCRYPTO_LOCK_X509â was not declared in this scope typedef LockingPointer<X509, X509_free_cpp, CRYPTO_LOCK_X509> X509_Pointer;                                            ^~~~~~~~~~~~~~~~../../src/ssl/gadgets.h:83:61: error: template argument 3 is invalid typedef LockingPointer<X509, X509_free_cpp, CRYPTO_LOCK_X509> X509_Pointer;                                                            ^../../src/ssl/gadgets.h:89:53: error: âCRYPTO_LOCK_EVP_PKEYâ was not declared in this scope typedef LockingPointer<EVP_PKEY, EVP_PKEY_free_cpp, CRYPTO_LOCK_EVP_PKEY> EVP_PKEY_Pointer;                                                    ^~~~~~~~~~~~~~~~~~~~../../src/ssl/gadgets.h:89:73: error: template argument 3 is invalid typedef LockingPointer<EVP_PKEY, EVP_PKEY_free_cpp, CRYPTO_LOCK_EVP_PKEY> EVP_PKEY_Pointer;                                                                        ^../../src/ssl/gadgets.h:116:43: error: âCRYPTO_LOCK_SSLâ was not declared in this scope typedef LockingPointer<SSL, SSL_free_cpp, CRYPTO_LOCK_SSL> SSL_Pointer;                                          ^~~~~~~~~~~~~~~../../src/ssl/gadgets.h:116:58: error: template argument 3 is invalid typedef LockingPointer<SSL, SSL_free_cpp, CRYPTO_LOCK_SSL> SSL_Pointer;                                                          ^
>> Any ideas?
>
>
> On Jesse/stable:
>
> apt-get build-dep squid3
> apt-get install libss-dev
>
>
> On stretch/testing/unstable:
>
> apt-get build-dep squid
> apt-get install libss1.0-dev
>
>
> That should do it for you.
>
> Amos
>
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>
>
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users






--
Bugs to the Future



--
Bugs to the Future

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

0x613DEC46.asc (2K) Download Attachment
signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: HTTPS woes

Olly Lennox
Would you mind sharing the script you use?
 
[hidden email]
lennox-it.uk
tel: 07900 648 252



From: Yuri Voinov <[hidden email]>
To: Olly Lennox <[hidden email]>; "[hidden email]" <[hidden email]>
Sent: Tuesday, 18 April 2017, 16:00
Subject: Re: [squid-users] HTTPS woes

I have automated cron job to refresh Mozilla CA's bundle by monthly basis.
Intermediate CA's, however, requires non-scheduled maintenance. I've maintain it by demand.

18.04.2017 20:17, Olly Lennox пишет:
Thanks Yuri! The Mozilla Bundle has worked!! Most of the major sites seem to be working which is all we need. How often do these certificates refresh? Would they need updating every month or so?
 
[hidden email]
lennox-it.uk
tel: 07900 648 252



From: Yuri Voinov [hidden email]
To: Olly Lennox [hidden email]; [hidden email] [hidden email]
Sent: Tuesday, 18 April 2017, 14:43
Subject: Re: [squid-users] HTTPS woes

You talked about two different things.
1. root CA usually built-in in clients. For standalone use, root CA (from Mozilla) usually distributes with openssl distributions. If you need (or your openssl distribution does not contains root CAs), you can find separately distributed Mozilla CA's by short googling:
2. Intermediate CA's is subordinate for roots CA. It does not exists by gouverned repository (because of supporting it is work, manual work and should be do by somebody), moreover, it spreaded across CA authorities. There is no automated tool to support this _intermediate_list. The problem also: intermediate CA's usuallu has much short validity period instead of roots, and should supports all time at time.
Finally - it you want to use Squid with SSL Bump, you should understand PKI infrastructure and yes - you should support root CA & intermediate CAs on proxy by yourself all time. There is no free or payment basis service which is do it for you.

18.04.2017 19:35, Olly Lennox пишет:
So anyone who wants to use Squid over HTTPS in the way has to build this repository themselves by manually downloading all the CA bundles?
 




From: Yuri [hidden email]
To: Olly Lennox [hidden email]; [hidden email] [hidden email]
Sent: Tuesday, 18 April 2017, 14:03
Subject: Re: [squid-users] HTTPS woes



18.04.2017 18:56, Olly Lennox пишет:
I'm using 

sslproxy_foreign_intermediate_certs

Is this the same thing?
No. You firstly required CA roots available for squid. CA roots and intermediate is the different things.

Also is there anywhere to get a bundle of all the major CA intermdiate certs or do you have to download them all manually?
No. You should build it by yourself.


Cheers,
 
[hidden email]
lennox-it.uk
tel: 07900 648 252



From: Yuri [hidden email]
To: [hidden email]
Sent: Tuesday, 18 April 2017, 13:51
Subject: Re: [squid-users] HTTPS woes

Try to specify roots CA bundle/dir explicity by specifying one of this
params:


#  TAG: sslproxy_cafile
#    file containing CA certificates to use when verifying server
#    certificates while proxying https:// URLs
#Default:
# none

#  TAG: sslproxy_capath
#    directory containing CA certificates to use when verifying
#    server certificates while proxying https:// URLs
#Default:
# none



18.04.2017 18:46, Olly Lennox пишет:
> Hi All,
>
> Still having problems here. This is my https config now:
>
>
> ---------------------------------https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/squid.crt key=/etc/squid3/ssl_cert/squid.key options=NO_SSLv3 dhparams=/etc/squid3/ssl_cert/dhparam.pem
>
> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump bump all
> sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
> sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
>
> sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB
> sslcrtd_children 8 startup=1 idle=1
>
> ---------------------------------
>
>
> I'm running version 3.5.23 with openssl 1.0. I've had to disable libecap because I couldn't build 3.5 with ecap enabled. I'm getting the following error when trying to connect with SSL:
>
> ---------------------------------
>
> The following error was encountered while trying to retrieve the URL: https://www.google.co.uk/*
>
> Failed to establish a secure connection to 216.58.198.67
>
> The system returned:
>
> (71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
> SSL Certficate error: certificate issuer (CA) not known: /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
>
> This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.
>
> Your cache administrator is webmaster.
>
> Generated Tue, 18 Apr 2017 12:23:40 GMT by raspberrypi (squid/3.5.23)
> ---------------------------------
>
> The CA is always listed as not known not matter what site I try I always get this error.
>
> Any ideas?
>
> Thanks,
>
> Olly
>
> ________________________________
> From: Olly Lennox <[hidden email]>
> To: Amos Jeffries <[hidden email]>; "[hidden email]" <[hidden email]>
> Sent: Sunday, 16 April 2017, 9:31
> Subject: Re: [squid-users] HTTPS woes
>
>
>
> Thanks Amos, it's finally built but I had to disabled ecap, for whatever reason this kept failing (with version 1.0.1 installed). It failed on a reference to the Area function I think but I don't have the error message copied. I'm trying now to configure the ssl stare/peek and will let you know how it goes.
>
> Olly

> [hidden email]
> lennox-it.uk
> tel: 07900 648 252
>
>
>
> ________________________________
> From: Amos Jeffries <[hidden email]>
> To: [hidden email]
> Sent: Saturday, 15 April 2017, 23:07
> Subject: Re: [squid-users] HTTPS woes
>
>
>
> On 15/04/2017 9:59 a.m., Olly Lennox wrote:
>> Hi Guys.
>> I'm still struggling with this. I'm trying to build a version of 3.5 but I just can't get it to work. I'm currently attempting to rebuild the stretch package with SSL enabled but build keeps failing with the following:
>> ../../src/ssl/gadgets.h:83:45: error: âCRYPTO_LOCK_X509â was not declared in this scope typedef LockingPointer<X509, X509_free_cpp, CRYPTO_LOCK_X509> X509_Pointer;                                            ^~~~~~~~~~~~~~~~../../src/ssl/gadgets.h:83:61: error: template argument 3 is invalid typedef LockingPointer<X509, X509_free_cpp, CRYPTO_LOCK_X509> X509_Pointer;                                                            ^../../src/ssl/gadgets.h:89:53: error: âCRYPTO_LOCK_EVP_PKEYâ was not declared in this scope typedef LockingPointer<EVP_PKEY, EVP_PKEY_free_cpp, CRYPTO_LOCK_EVP_PKEY> EVP_PKEY_Pointer;                                                    ^~~~~~~~~~~~~~~~~~~~../../src/ssl/gadgets.h:89:73: error: template argument 3 is invalid typedef LockingPointer<EVP_PKEY, EVP_PKEY_free_cpp, CRYPTO_LOCK_EVP_PKEY> EVP_PKEY_Pointer;                                                                        ^../../src/ssl/gadgets.h:116:43: error: âCRYPTO_LOCK_SSLâ was not declared in this scope typedef LockingPointer<SSL, SSL_free_cpp, CRYPTO_LOCK_SSL> SSL_Pointer;                                          ^~~~~~~~~~~~~~~../../src/ssl/gadgets.h:116:58: error: template argument 3 is invalid typedef LockingPointer<SSL, SSL_free_cpp, CRYPTO_LOCK_SSL> SSL_Pointer;                                                          ^
>> Any ideas?
>
>
> On Jesse/stable:
>
> apt-get build-dep squid3
> apt-get install libss-dev
>
>
> On stretch/testing/unstable:
>
> apt-get build-dep squid
> apt-get install libss1.0-dev
>
>
> That should do it for you.
>
> Amos
>
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>
>
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users






--
Bugs to the Future



--
Bugs to the Future



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: HTTPS woes

Amos Jeffries
Administrator

Olly,  Debian provides a ca-certificates package containing the Mozilla CA list. It is updated whenever the CA set changes. Though of course you should have apt connected to the relevant security repository (jesse-security?) for regular updates.


Amos

On 19/04/17 03:10, Olly Lennox wrote:
Would you mind sharing the script you use?
 
[hidden email]
lennox-it.uk
tel: 07900 648 252



From: Yuri Voinov [hidden email]
To: Olly Lennox [hidden email]; [hidden email] [hidden email]
Sent: Tuesday, 18 April 2017, 16:00
Subject: Re: [squid-users] HTTPS woes

I have automated cron job to refresh Mozilla CA's bundle by monthly basis.
Intermediate CA's, however, requires non-scheduled maintenance. I've maintain it by demand.

18.04.2017 20:17, Olly Lennox пишет:
Thanks Yuri! The Mozilla Bundle has worked!! Most of the major sites seem to be working which is all we need. How often do these certificates refresh? Would they need updating every month or so?
 
[hidden email]
lennox-it.uk
tel: 07900 648 252



From: Yuri Voinov [hidden email]
To: Olly Lennox [hidden email]; [hidden email] [hidden email]
Sent: Tuesday, 18 April 2017, 14:43
Subject: Re: [squid-users] HTTPS woes

You talked about two different things.
1. root CA usually built-in in clients. For standalone use, root CA (from Mozilla) usually distributes with openssl distributions. If you need (or your openssl distribution does not contains root CAs), you can find separately distributed Mozilla CA's by short googling:
2. Intermediate CA's is subordinate for roots CA. It does not exists by gouverned repository (because of supporting it is work, manual work and should be do by somebody), moreover, it spreaded across CA authorities. There is no automated tool to support this _intermediate_list. The problem also: intermediate CA's usuallu has much short validity period instead of roots, and should supports all time at time.
Finally - it you want to use Squid with SSL Bump, you should understand PKI infrastructure and yes - you should support root CA & intermediate CAs on proxy by yourself all time. There is no free or payment basis service which is do it for you.

18.04.2017 19:35, Olly Lennox пишет:
So anyone who wants to use Squid over HTTPS in the way has to build this repository themselves by manually downloading all the CA bundles?
 




From: Yuri [hidden email]
To: Olly Lennox [hidden email]; [hidden email] [hidden email]
Sent: Tuesday, 18 April 2017, 14:03
Subject: Re: [squid-users] HTTPS woes



18.04.2017 18:56, Olly Lennox пишет:
I'm using 

sslproxy_foreign_intermediate_certs

Is this the same thing?
No. You firstly required CA roots available for squid. CA roots and intermediate is the different things.

Also is there anywhere to get a bundle of all the major CA intermdiate certs or do you have to download them all manually?
No. You should build it by yourself.


Cheers,
 
[hidden email]
lennox-it.uk
tel: 07900 648 252



From: Yuri [hidden email]
To: [hidden email]
Sent: Tuesday, 18 April 2017, 13:51
Subject: Re: [squid-users] HTTPS woes

Try to specify roots CA bundle/dir explicity by specifying one of this
params:


#  TAG: sslproxy_cafile
#    file containing CA certificates to use when verifying server
#    certificates while proxying https:// URLs
#Default:
# none

#  TAG: sslproxy_capath
#    directory containing CA certificates to use when verifying
#    server certificates while proxying https:// URLs
#Default:
# none



18.04.2017 18:46, Olly Lennox пишет:
> Hi All,
>
> Still having problems here. This is my https config now:
>
>
> ---------------------------------https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/squid.crt key=/etc/squid3/ssl_cert/squid.key options=NO_SSLv3 dhparams=/etc/squid3/ssl_cert/dhparam.pem
>
> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump bump all
> sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
> sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
>
> sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB
> sslcrtd_children 8 startup=1 idle=1
>
> ---------------------------------
>
>
> I'm running version 3.5.23 with openssl 1.0. I've had to disable libecap because I couldn't build 3.5 with ecap enabled. I'm getting the following error when trying to connect with SSL:
>
> ---------------------------------
>
> The following error was encountered while trying to retrieve the URL: https://www.google.co.uk/*
>
> Failed to establish a secure connection to 216.58.198.67
>
> The system returned:
>
> (71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
> SSL Certficate error: certificate issuer (CA) not known: /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
>
> This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.
>
> Your cache administrator is webmaster.
>
> Generated Tue, 18 Apr 2017 12:23:40 GMT by raspberrypi (squid/3.5.23)
> ---------------------------------
>
> The CA is always listed as not known not matter what site I try I always get this error.
>
> Any ideas?
>
> Thanks,
>
> Olly
>
> ________________________________
> From: Olly Lennox <[hidden email]>
> To: Amos Jeffries <[hidden email]>; "[hidden email]" <[hidden email]>
> Sent: Sunday, 16 April 2017, 9:31
> Subject: Re: [squid-users] HTTPS woes
>
>
>
> Thanks Amos, it's finally built but I had to disabled ecap, for whatever reason this kept failing (with version 1.0.1 installed). It failed on a reference to the Area function I think but I don't have the error message copied. I'm trying now to configure the ssl stare/peek and will let you know how it goes.
>
> Olly

> [hidden email]
> lennox-it.uk
> tel: 07900 648 252
>
>
>
> ________________________________
> From: Amos Jeffries <[hidden email]>
> To: [hidden email]
> Sent: Saturday, 15 April 2017, 23:07
> Subject: Re: [squid-users] HTTPS woes
>
>
>
> On 15/04/2017 9:59 a.m., Olly Lennox wrote:
>> Hi Guys.
>> I'm still struggling with this. I'm trying to build a version of 3.5 but I just can't get it to work. I'm currently attempting to rebuild the stretch package with SSL enabled but build keeps failing with the following:
>> ../../src/ssl/gadgets.h:83:45: error: âCRYPTO_LOCK_X509â was not declared in this scope typedef LockingPointer<X509, X509_free_cpp, CRYPTO_LOCK_X509> X509_Pointer;                                            ^~~~~~~~~~~~~~~~../../src/ssl/gadgets.h:83:61: error: template argument 3 is invalid typedef LockingPointer<X509, X509_free_cpp, CRYPTO_LOCK_X509> X509_Pointer;                                                            ^../../src/ssl/gadgets.h:89:53: error: âCRYPTO_LOCK_EVP_PKEYâ was not declared in this scope typedef LockingPointer<EVP_PKEY, EVP_PKEY_free_cpp, CRYPTO_LOCK_EVP_PKEY> EVP_PKEY_Pointer;                                                    ^~~~~~~~~~~~~~~~~~~~../../src/ssl/gadgets.h:89:73: error: template argument 3 is invalid typedef LockingPointer<EVP_PKEY, EVP_PKEY_free_cpp, CRYPTO_LOCK_EVP_PKEY> EVP_PKEY_Pointer;                                                                        ^../../src/ssl/gadgets.h:116:43: error: âCRYPTO_LOCK_SSLâ was not declared in this scope typedef LockingPointer<SSL, SSL_free_cpp, CRYPTO_LOCK_SSL> SSL_Pointer;                                          ^~~~~~~~~~~~~~~../../src/ssl/gadgets.h:116:58: error: template argument 3 is invalid typedef LockingPointer<SSL, SSL_free_cpp, CRYPTO_LOCK_SSL> SSL_Pointer;                                                          ^
>> Any ideas?
>
>
> On Jesse/stable:
>
> apt-get build-dep squid3
> apt-get install libss-dev
>
>
> On stretch/testing/unstable:
>
> apt-get build-dep squid
> apt-get install libss1.0-dev
>
>
> That should do it for you.
>
> Amos
>
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>
>
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users






--
Bugs to the Future



--
Bugs to the Future




_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: HTTPS woes

Olly Lennox
Thanks Amos, I'll install this. One last question if I may! Squid is working fine now with both HTTP and HTTPS but for some reason it is refusing to launch on boot.

It works perfectly when started with "service squid start" but not boot. The error is:
squid.service - LSB: Squid HTTP Proxy version 3.x
   Loaded: loaded (/etc/init.d/squid; generated; vendor preset: enabled)
   Active: failed (Result: resources) since Wed 2017-04-19 10:19:18 BST; 53s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 598 ExecStart=/etc/init.d/squid start (code=exited, status=0/SUCCESS)

Apr 19 10:19:13 raspberrypi (squid-1)[1606]: Ipc::Mem::Segment::open failed to shm_open(/squid-ssl_session_cache.shm): (2) No such file or direct
Apr 19 10:19:13 raspberrypi squid[1283]: Squid Parent: (squid-1) process 1606 exited with status 1
Apr 19 10:19:16 raspberrypi squid[1283]: Squid Parent: (squid-1) process 1633 started
Apr 19 10:19:18 raspberrypi squid[1283]: Squid Parent: (squid-1) process 1633 exited with status 1
Apr 19 10:19:18 raspberrypi squid[1283]: Squid Parent: (squid-1) process 1633 will not be restarted due to repeated, frequent failures
Apr 19 10:19:18 raspberrypi squid[1283]: Exiting due to repeated, frequent failures
Apr 19 10:19:18 raspberrypi systemd[1]: squid.service: Daemon never wrote its PID file. Failing.
Apr 19 10:19:18 raspberrypi systemd[1]: Failed to start LSB: Squid HTTP Proxy version 3.x.
Apr 19 10:19:18 raspberrypi systemd[1]: squid.service: Unit entered failed state.
Apr 19 10:19:18 raspberrypi systemd[1]: squid.service: Failed with result 'resources'.

Any ideas?



________________________________
From: Amos Jeffries <[hidden email]>
To: [hidden email]
Sent: Wednesday, 19 April 2017, 5:22
Subject: Re: [squid-users] HTTPS woes



Olly,  Debian provides a ca-certificates package containing the Mozilla CA list. It is updated whenever the CA set changes. Though of course you should have apt connected to the relevant security repository (jesse-security?) for regular updates.


Amos


On 19/04/17 03:10, Olly Lennox wrote:

Would you mind sharing the script you use?

>
>[hidden email]
>lennox-it.uk
>tel: 07900 648 252
>
>
>
>
>________________________________
> From: Yuri Voinov <[hidden email]>
>To: Olly Lennox <[hidden email]>; "[hidden email]" <[hidden email]>
>Sent: Tuesday, 18 April 2017, 16:00
>Subject: Re: [squid-users] HTTPS woes
>
>
>
>I have automated cron job to refresh Mozilla CA's bundle by monthly basis.
>Intermediate CA's, however, requires non-scheduled maintenance. I've maintain it by demand.
>
>
>18.04.2017 20:17, Olly Lennox пишет:
>
>Thanks Yuri! The Mozilla Bundle has worked!! Most of the major sites seem to be working which is all we need. How often do these certificates refresh? Would they need updating every month or so?
>>
>>[hidden email]
>>lennox-it.uk
>>tel: 07900 648 252
>>
>>
>>
>>
>>________________________________
>> From: Yuri Voinov <[hidden email]>
>>To: Olly Lennox <[hidden email]>; "[hidden email]" <[hidden email]>
>>Sent: Tuesday, 18 April 2017, 14:43
>>Subject: Re: [squid-users] HTTPS woes
>>
>>
>>
>>You talked about two different things.
>>1. root CA usually built-in in clients. For standalone use, root CA (from Mozilla) usually distributes with openssl distributions. If you need (or your openssl distribution does not contains root CAs), you can find separately distributed Mozilla CA's by short googling:
>>
>>https://www.google.com/search?q=Mozilla+CA+bundle
>>2. Intermediate CA's is subordinate for roots CA. It does not exists by gouverned repository (because of supporting it is work, manual work and should be do by somebody), moreover, it spreaded across CA authorities. There is no automated tool to support this _intermediate_list. The problem also: intermediate CA's usuallu has much short validity period instead of roots, and should supports all time at time.
>>Finally - it you want to use Squid with SSL Bump, you should understand PKI infrastructure and yes - you should support root CA & intermediate CAs on proxy by yourself all time. There is no free or payment basis service which is do it for you.
>>
>>
>>18.04.2017 19:35, Olly Lennox пишет:
>>
>>So anyone who wants to use Squid over HTTPS in the way has to build this repository themselves by manually downloading all the CA bundles?
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>________________________________
>>> From: Yuri <[hidden email]>
>>>To: Olly Lennox <[hidden email]>; "[hidden email]" <[hidden email]>
>>>Sent: Tuesday, 18 April 2017, 14:03
>>>Subject: Re: [squid-users] HTTPS woes
>>>
>>>
>>>
>>>
>>>
>>>
>>>18.04.2017 18:56, Olly Lennox пишет:
>>>
>>>I'm using
>>>>
>>>>
>>>>sslproxy_foreign_intermediate_certs
>>>>
>>>>
>>>>Is this the same thing?
>>>>
No. You firstly required CA roots available for squid. CA roots and intermediate is the different things.
>>>
>>>
>>>>
>>>>Also is there anywhere to get a bundle of all the major CA intermdiate certs or do you have to download them all manually?
No. You should build it by yourself.
>>>
>>>
>>>
>>>>
>>>>Cheers,
>>>>
>>>>[hidden email]
>>>>lennox-it.uk
>>>>tel: 07900 648
                                       252

>>>>
>>>>
>>>>
>>>>
>>>>________________________________
>>>> From: Yuri <[hidden email]>
>>>>To: [hidden email]
>>>>Sent: Tuesday, 18 April 2017, 13:51
>>>>Subject: Re: [squid-users] HTTPS woes
>>>>
>>>>
>>>>
>>>>Try to specify roots CA bundle/dir explicity by specifying one of this
>>>>params:
>>>>
>>>>
>>>>#  TAG:
                                       sslproxy_cafile
>>>>#    file
                                       containing CA
                                       certificates
                                       to use when
                                       verifying
                                       server
>>>>#  
                                       certificates
                                       while proxying https:// URLs
>>>>#Default:
>>>># none
>>>>
>>>>#  TAG:
                                       sslproxy_capath
>>>>#    directory
                                       containing CA
                                       certificates
                                       to use when
                                       verifying
>>>>#    server
                                       certificates
                                       while proxying https:// URLs
>>>>#Default:
>>>># none
>>>>
>>>>
>>>>
>>>>18.04.2017
                                       18:46, Olly
                                       Lennox пишет:
>>>>> Hi All,
>>>>>
>>>>> Still
                                       having
                                       problems here.
                                       This is my
                                       https config
                                       now:
>>>>>
>>>>>
>>>>>
                                       ---------------------------------https_port
                                       3129 intercept
                                       ssl-bump
                                       generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/squid.crt
                                       key=/etc/squid3/ssl_cert/squid.key
options=NO_SSLv3 dhparams=/etc/squid3/ssl_cert/dhparam.pem
>>>>>
>>>>> acl step1
                                       at_step
                                       SslBump1
>>>>> ssl_bump
                                       peek step1
>>>>> ssl_bump
                                       bump all
>>>>>
                                       sslproxy_options
NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
>>>>>
                                       sslproxy_cipher
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
>>>>>
>>>>>
                                       sslcrtd_program
/usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB
>>>>>
                                       sslcrtd_children
                                       8 startup=1
                                       idle=1
>>>>>
>>>>>
                                       ---------------------------------
>>>>>
>>>>>
>>>>> I'm
                                       running
                                       version 3.5.23
                                       with openssl
                                       1.0. I've had
                                       to disable
                                       libecap
                                       because I
                                       couldn't build
                                       3.5 with ecap
                                       enabled. I'm
                                       getting the
                                       following
                                       error when
                                       trying to
                                       connect with
                                       SSL:
>>>>>
>>>>>
                                       ---------------------------------
>>>>>
>>>>> The
                                       following
                                       error was
                                       encountered
                                       while trying
                                       to retrieve
                                       the URL: https://www.google.co.uk/*
>>>>>
>>>>> Failed to
                                       establish a
                                       secure
                                       connection to
                                       216.58.198.67
>>>>>
>>>>> The
                                       system
                                       returned:
>>>>>
>>>>> (71)
                                       Protocol error
                                       (TLS code:
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
>>>>> SSL
                                       Certficate
                                       error:
                                       certificate
                                       issuer (CA)
                                       not known:
                                       /C=US/O=Equifax/OU=Equifax
                                       Secure
                                       Certificate
                                       Authority
>>>>>
>>>>> This
                                       proxy and the
                                       remote host
                                       failed to
                                       negotiate a
                                       mutually
                                       acceptable
                                       security
                                       settings for
                                       handling your
                                       request. It is
                                       possible that
                                       the remote
                                       host does not
                                       support secure
                                       connections,
                                       or the proxy
                                       is not
                                       satisfied with
                                       the host
                                       security
                                       credentials.
>>>>>
>>>>> Your
                                       cache
                                       administrator
                                       is webmaster.
>>>>>
>>>>> Generated
                                       Tue, 18 Apr
                                       2017 12:23:40
                                       GMT by
                                       raspberrypi
                                       (squid/3.5.23)
>>>>>
                                       ---------------------------------
>>>>>
>>>>> The CA is
                                       always listed
                                       as not known
                                       not matter
                                       what site I
                                       try I always
                                       get this
                                       error.
>>>>>
>>>>> Any
                                       ideas?
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Olly
>>>>>
>>>>>
                                       ________________________________
>>>>> From:
                                       Olly Lennox
                                       <[hidden email]>
>>>>> To: Amos
                                       Jeffries <[hidden email]>; "[hidden email]" <[hidden email]>
>>>>> Sent:
                                       Sunday, 16
                                       April 2017,
                                       9:31
>>>>> Subject:
                                       Re:
                                       [squid-users]
                                       HTTPS woes
>>>>>
>>>>>
>>>>>
>>>>> Thanks
                                       Amos, it's
                                       finally built
                                       but I had to
                                       disabled ecap,
                                       for whatever
                                       reason this
                                       kept failing
                                       (with version
                                       1.0.1
                                       installed). It
                                       failed on a
                                       reference to
                                       the Area
                                       function I
                                       think but I
                                       don't have the
                                       error message
                                       copied. I'm
                                       trying now to
                                       configure the
                                       ssl stare/peek
                                       and will let
                                       you know how
                                       it goes.
>>>>>
>>>>> Olly
>>>>>  
>>>>> [hidden email]
>>>>>
                                       lennox-it.uk
>>>>> tel:
                                       07900 648 252
>>>>>
>>>>>
>>>>>
>>>>>
                                       ________________________________
>>>>> From:
                                       Amos Jeffries
                                       <[hidden email]>
>>>>> To: [hidden email]
>>>>> Sent:
                                       Saturday, 15
                                       April 2017,
                                       23:07
>>>>> Subject:
                                       Re:
                                       [squid-users]
                                       HTTPS woes
>>>>>
>>>>>
>>>>>
>>>>> On
                                       15/04/2017
                                       9:59 a.m.,
                                       Olly Lennox
                                       wrote:
>>>>>> Hi
                                       Guys.
>>>>>> I'm
                                       still
                                       struggling
                                       with this. I'm
                                       trying to
                                       build a
                                       version of 3.5
                                       but I just
                                       can't get it
                                       to work. I'm
                                       currently
                                       attempting to
                                       rebuild the
                                       stretch
                                       package with
                                       SSL enabled
                                       but build
                                       keeps failing
                                       with the
                                       following:
>>>>>>
                                       ../../src/ssl/gadgets.h:83:45:
                                       error:
                                       âCRYPTO_LOCK_X509â
                                       was not
                                       declared in
                                       this scope
                                       typedef
                                       LockingPointer<X509,
                                       X509_free_cpp,
CRYPTO_LOCK_X509> X509_Pointer;                                    
                                           
                                       ^~~~~~~~~~~~~~~~../../src/ssl/gadgets.h:83:61:
                                       error:
                                       template
                                       argument 3 is
                                       invalid
                                       typedef
                                       LockingPointer<X509,
                                       X509_free_cpp,
CRYPTO_LOCK_X509> X509_Pointer;                                    
                                                   
                                             
^../../src/ssl/gadgets.h:89:53: error: âCRYPTO_LOCK_EVP_PKEYâ was not
                                       declared in
                                       this scope
                                       typedef
                                       LockingPointer<EVP_PKEY,
EVP_PKEY_free_cpp,
CRYPTO_LOCK_EVP_PKEY> EVP_PKEY_Pointer;                            
                                                   
                                             
                                       ^~~~~~~~~~~~~~~~~~~~../../src/ssl/gadgets.h:89:73:
                                       error:
                                       template
                                       argument 3 is
                                       invalid
                                       typedef
                                       LockingPointer<EVP_PKEY,
EVP_PKEY_free_cpp,
CRYPTO_LOCK_EVP_PKEY> EVP_PKEY_Pointer;                            
                                                   
                                                   
                                                   
^../../src/ssl/gadgets.h:116:43: error: âCRYPTO_LOCK_SSLâ was not
                                       declared in
                                       this scope
                                       typedef
                                       LockingPointer<SSL,
                                       SSL_free_cpp,
CRYPTO_LOCK_SSL> SSL_Pointer;                                      
                                       
^~~~~~~~~~~~~~~../../src/ssl/gadgets.h:116:58: error: template argument
                                       3 is invalid
                                       typedef
                                       LockingPointer<SSL,
                                       SSL_free_cpp,
CRYPTO_LOCK_SSL> SSL_Pointer;                                      
                                                   
                                           ^
>>>>>> Any
                                       ideas?
>>>>>
>>>>>
>>>>> On
                                       Jesse/stable:
>>>>>
>>>>> apt-get
                                       build-dep
                                       squid3
>>>>> apt-get
                                       install
                                       libss-dev
>>>>>
>>>>>
>>>>> On
                                       stretch/testing/unstable:
>>>>>
>>>>> apt-get
                                       build-dep
                                       squid
>>>>> apt-get
                                       install
                                       libss1.0-dev
>>>>>
>>>>>
>>>>> That
                                       should do it
                                       for you.
>>>>>
>>>>> Amos
>>>>>
>>>>>
>>>>>
                                       _______________________________________________
>>>>>
                                       squid-users
                                       mailing list
>>>>> [hidden email]
>>>>> http://lists.squid-cache.org/listinfo/squid-users
>>>>>
>>>>>
>>>>>
>>>>>
                                       _______________________________________________
>>>>>
                                       squid-users
                                       mailing list
>>>>> [hidden email]
>>>>> http://lists.squid-cache.org/listinfo/squid-users 
>>>>
>>>>>
                                       _______________________________________________
>>>>>
                                       squid-users
                                       mailing list
>>>>> [hidden email]
>>>>> http://lists.squid-cache.org/listinfo/squid-users
>>>>
>>>>
>>>>_______________________________________________
>>>>squid-users
                                       mailing list

>>>>[hidden email]
>>>>http://lists.squid-cache.org/listinfo/squid-users
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>
>>--
>>Bugs to the Future
>>
>>
>
>--
>Bugs to the Future
>
>
>
>
>_______________________________________________
squid-users mailing list [hidden email] http://lists.squid-cache.org/listinfo/squid-users 

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: HTTPS woes

L.P.H. van Belle
Hai,

Im guess, squid is starting to soon, or there is not /dev/shm

Check/Try adding, if not already in /etc/fstab

none      /dev/shm        tmpfs   defaults        0 0

And reboot the server.


Or, i dont know and someone else can tell you. ;-)
But on my jessie with squid 3.5.24+ssl i dont see this problem.

A small tip about the certificates on debian or ubuntu.
Install ca-certificates ( apt-get install ca-certificates )
And read : https://www.brightbox.com/blog/2014/03/04/add-cacert-ubuntu-debian/ 



Greetz,

Louis





 

> -----Oorspronkelijk bericht-----
> Van: squid-users
> [mailto:[hidden email]] Namens Olly Lennox
> Verzonden: woensdag 19 april 2017 11:22
> Aan: Amos Jeffries; [hidden email]
> Onderwerp: Re: [squid-users] HTTPS woes
>
> Thanks Amos, I'll install this. One last question if I may!
> Squid is working fine now with both HTTP and HTTPS but for
> some reason it is refusing to launch on boot.
>
> It works perfectly when started with "service squid start"
> but not boot. The error is:
> squid.service - LSB: Squid HTTP Proxy version 3.x
>    Loaded: loaded (/etc/init.d/squid; generated; vendor
> preset: enabled)
>    Active: failed (Result: resources) since Wed 2017-04-19
> 10:19:18 BST; 53s ago
>      Docs: man:systemd-sysv-generator(8)
>   Process: 598 ExecStart=/etc/init.d/squid start
> (code=exited, status=0/SUCCESS)
>
> Apr 19 10:19:13 raspberrypi (squid-1)[1606]:
> Ipc::Mem::Segment::open failed to
> shm_open(/squid-ssl_session_cache.shm): (2) No such file or
> direct Apr 19 10:19:13 raspberrypi squid[1283]: Squid Parent:
> (squid-1) process 1606 exited with status 1 Apr 19 10:19:16
> raspberrypi squid[1283]: Squid Parent: (squid-1) process 1633
> started Apr 19 10:19:18 raspberrypi squid[1283]: Squid
> Parent: (squid-1) process 1633 exited with status 1 Apr 19
> 10:19:18 raspberrypi squid[1283]: Squid Parent: (squid-1)
> process 1633 will not be restarted due to repeated, frequent
> failures Apr 19 10:19:18 raspberrypi squid[1283]: Exiting due
> to repeated, frequent failures Apr 19 10:19:18 raspberrypi
> systemd[1]: squid.service: Daemon never wrote its PID file. Failing.
> Apr 19 10:19:18 raspberrypi systemd[1]: Failed to start LSB:
> Squid HTTP Proxy version 3.x.
> Apr 19 10:19:18 raspberrypi systemd[1]: squid.service: Unit
> entered failed state.
> Apr 19 10:19:18 raspberrypi systemd[1]: squid.service: Failed
> with result 'resources'.
>
> Any ideas?
>
>
>
> ________________________________
> From: Amos Jeffries <[hidden email]>
> To: [hidden email]
> Sent: Wednesday, 19 April 2017, 5:22
> Subject: Re: [squid-users] HTTPS woes
>
>
>
> Olly,  Debian provides a ca-certificates package containing
> the Mozilla CA list. It is updated whenever the CA set
> changes. Though of course you should have apt connected to
> the relevant security repository (jesse-security?) for
> regular updates.
>
>
> Amos
>
>
> On 19/04/17 03:10, Olly Lennox wrote:
>
> Would you mind sharing the script you use?
> >
> >[hidden email]
> >lennox-it.uk
> >tel: 07900 648 252
> >
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: HTTPS woes

Olly Lennox
Hi Louis,

Thanks a lot for the link, I'll implement that once I get this problem fixed. Sadly the change hasn't worked. My current /etc/fstab looks like this:


proc            /proc           proc    defaults          0       0
PARTUUID=0d001852-01  /boot           vfat    defaults          0       2
PARTUUID=0d001852-02  /               ext4    defaults,noatime  0       1
# a swapfile is not a swap partition, no line here
#   use  dphys-swapfile swap[on|off]  for that
tmpfs /cache tmpfs defaults,noatime,nosuid,size=8000m 0 0
none      /dev/shm        tmpfs  defaults        0 0

could the existing tmpfs line be causing problems?

[hidden email]
lennox-it.uk
tel: 07900 648 252



________________________________
From: L. P. H.  van Belle <[hidden email]>
To: "squid-users@squid-cache. org" <[hidden email]>
Sent: Wednesday, 19 April 2017, 11:05
Subject: Re: [squid-users] HTTPS woes



Hai,


Im guess, squid is starting to soon, or there is not /dev/shm


Check/Try adding, if not already in /etc/fstab


none      /dev/shm        tmpfs   defaults        0 0


And reboot the server.



Or, i dont know and someone else can tell you. ;-)

But on my jessie with squid 3.5.24+ssl i dont see this problem.


A small tip about the certificates on debian or ubuntu.

Install ca-certificates ( apt-get install ca-certificates )

And read : https://www.brightbox.com/blog/2014/03/04/add-cacert-ubuntu-debian/ 




Greetz,


Louis








> -----Oorspronkelijk bericht-----

> Van: squid-users

> [mailto:[hidden email]] Namens Olly Lennox

> Verzonden: woensdag 19 april 2017 11:22

> Aan: Amos Jeffries; [hidden email]

> Onderwerp: Re: [squid-users] HTTPS woes

>

> Thanks Amos, I'll install this. One last question if I may!

> Squid is working fine now with both HTTP and HTTPS but for

> some reason it is refusing to launch on boot.

>

> It works perfectly when started with "service squid start"

> but not boot. The error is:

> squid.service - LSB: Squid HTTP Proxy version 3.x

>    Loaded: loaded (/etc/init.d/squid; generated; vendor

> preset: enabled)

>    Active: failed (Result: resources) since Wed 2017-04-19

> 10:19:18 BST; 53s ago

>      Docs: man:systemd-sysv-generator(8)

>   Process: 598 ExecStart=/etc/init.d/squid start

> (code=exited, status=0/SUCCESS)

>

> Apr 19 10:19:13 raspberrypi (squid-1)[1606]:

> Ipc::Mem::Segment::open failed to

> shm_open(/squid-ssl_session_cache.shm): (2) No such file or

> direct Apr 19 10:19:13 raspberrypi squid[1283]: Squid Parent:

> (squid-1) process 1606 exited with status 1 Apr 19 10:19:16

> raspberrypi squid[1283]: Squid Parent: (squid-1) process 1633

> started Apr 19 10:19:18 raspberrypi squid[1283]: Squid

> Parent: (squid-1) process 1633 exited with status 1 Apr 19

> 10:19:18 raspberrypi squid[1283]: Squid Parent: (squid-1)

> process 1633 will not be restarted due to repeated, frequent

> failures Apr 19 10:19:18 raspberrypi squid[1283]: Exiting due

> to repeated, frequent failures Apr 19 10:19:18 raspberrypi

> systemd[1]: squid.service: Daemon never wrote its PID file. Failing.

> Apr 19 10:19:18 raspberrypi systemd[1]: Failed to start LSB:

> Squid HTTP Proxy version 3.x.

> Apr 19 10:19:18 raspberrypi systemd[1]: squid.service: Unit

> entered failed state.

> Apr 19 10:19:18 raspberrypi systemd[1]: squid.service: Failed

> with result 'resources'.

>

> Any ideas?

>

>

>

> ________________________________

> From: Amos Jeffries <[hidden email]>

> To: [hidden email]

> Sent: Wednesday, 19 April 2017, 5:22

> Subject: Re: [squid-users] HTTPS woes

>

>

>

> Olly,  Debian provides a ca-certificates package containing

> the Mozilla CA list. It is updated whenever the CA set

> changes. Though of course you should have apt connected to

> the relevant security repository (jesse-security?) for

> regular updates.

>

>

> Amos

>

>

> On 19/04/17 03:10, Olly Lennox wrote:

>

> Would you mind sharing the script you use?

> >

> >[hidden email]

> >lennox-it.uk

> >tel: 07900 648 252

> >

>


_______________________________________________

squid-users mailing list

[hidden email]

http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: HTTPS woes

Olly Lennox
Never mind I've sorted it! The issue was due to the /var/run directory and the program not being able to create squid.pid. I amended the permissions and seems to be working fine now
 
[hidden email]
lennox-it.uk
tel: 07900 648 252



From: Olly Lennox <[hidden email]>
To: L. P. H. van Belle <[hidden email]>; "squid-users@squid-cache. org" <[hidden email]>
Sent: Wednesday, 19 April 2017, 12:24
Subject: Re: [squid-users] HTTPS woes

Hi Louis,

Thanks a lot for the link, I'll implement that once I get this problem fixed. Sadly the change hasn't worked. My current /etc/fstab looks like this:


proc            /proc          proc    defaults          0      0
PARTUUID=0d001852-01  /boot          vfat    defaults          0      2
PARTUUID=0d001852-02  /              ext4    defaults,noatime  0      1
# a swapfile is not a swap partition, no line here
#  use  dphys-swapfile swap[on|off]  for that
tmpfs /cache tmpfs defaults,noatime,nosuid,size=8000m 0 0
none      /dev/shm        tmpfs  defaults        0 0

could the existing tmpfs line be causing problems?

[hidden email]
lennox-it.uk
tel: 07900 648 252



________________________________
From: L. P. H.  van Belle <[hidden email]>
To: "[hidden email] org" <[hidden email]>
Sent: Wednesday, 19 April 2017, 11:05
Subject: Re: [squid-users] HTTPS woes



Hai,


Im guess, squid is starting to soon, or there is not /dev/shm


Check/Try adding, if not already in /etc/fstab


none      /dev/shm        tmpfs  defaults        0 0


And reboot the server.



Or, i dont know and someone else can tell you. ;-)

But on my jessie with squid 3.5.24+ssl i dont see this problem.


A small tip about the certificates on debian or ubuntu.

Install ca-certificates ( apt-get install ca-certificates )

And read : https://www.brightbox.com/blog/2014/03/04/add-cacert-ubuntu-debian/




Greetz,


Louis








> -----Oorspronkelijk bericht-----

> Van: squid-users

> [mailto:[hidden email]] Namens Olly Lennox

> Verzonden: woensdag 19 april 2017 11:22

> Aan: Amos Jeffries; [hidden email]

> Onderwerp: Re: [squid-users] HTTPS woes

>

> Thanks Amos, I'll install this. One last question if I may!

> Squid is working fine now with both HTTP and HTTPS but for

> some reason it is refusing to launch on boot.

>

> It works perfectly when started with "service squid start"

> but not boot. The error is:

> squid.service - LSB: Squid HTTP Proxy version 3.x

>    Loaded: loaded (/etc/init.d/squid; generated; vendor

> preset: enabled)

>    Active: failed (Result: resources) since Wed 2017-04-19

> 10:19:18 BST; 53s ago

>      Docs: man:systemd-sysv-generator(8)

>  Process: 598 ExecStart=/etc/init.d/squid start

> (code=exited, status=0/SUCCESS)

>

> Apr 19 10:19:13 raspberrypi (squid-1)[1606]:

> Ipc::Mem::Segment::open failed to

> shm_open(/squid-ssl_session_cache.shm): (2) No such file or

> direct Apr 19 10:19:13 raspberrypi squid[1283]: Squid Parent:

> (squid-1) process 1606 exited with status 1 Apr 19 10:19:16

> raspberrypi squid[1283]: Squid Parent: (squid-1) process 1633

> started Apr 19 10:19:18 raspberrypi squid[1283]: Squid

> Parent: (squid-1) process 1633 exited with status 1 Apr 19

> 10:19:18 raspberrypi squid[1283]: Squid Parent: (squid-1)

> process 1633 will not be restarted due to repeated, frequent

> failures Apr 19 10:19:18 raspberrypi squid[1283]: Exiting due

> to repeated, frequent failures Apr 19 10:19:18 raspberrypi

> systemd[1]: squid.service: Daemon never wrote its PID file. Failing.

> Apr 19 10:19:18 raspberrypi systemd[1]: Failed to start LSB:

> Squid HTTP Proxy version 3.x.

> Apr 19 10:19:18 raspberrypi systemd[1]: squid.service: Unit

> entered failed state.

> Apr 19 10:19:18 raspberrypi systemd[1]: squid.service: Failed

> with result 'resources'.

>

> Any ideas?

>

>

>

> ________________________________

> From: Amos Jeffries <[hidden email]>

> To: [hidden email]

> Sent: Wednesday, 19 April 2017, 5:22

> Subject: Re: [squid-users] HTTPS woes

>

>

>

> Olly,  Debian provides a ca-certificates package containing

> the Mozilla CA list. It is updated whenever the CA set

> changes. Though of course you should have apt connected to

> the relevant security repository (jesse-security?) for

> regular updates.

>

>

> Amos

>

>

> On 19/04/17 03:10, Olly Lennox wrote:

>

> Would you mind sharing the script you use?

> >

> >[hidden email]

> >lennox-it.uk

> >tel: 07900 648 252

> >

>


_______________________________________________

squid-users mailing list

[hidden email]

http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: HTTPS woes

Olly Lennox
Sorry it's back,


I've narrowed down the problem, hopefully someone can help. When Squid starts it creates the directory /var/run/squid as user proxy:proxy.

If I remove this or leave it as is then the application won't launch on subsequent reboots.

If I chown the directory as root:root then the application will launch on boot but proxy:proxy takes back ownership and it won't launch again on subsequent reboots.

I'm guessing this is something to do with the running processes, does anyone know what's going wrong?

Cheers,

Olly


------------
 



Never mind I've sorted it! The issue was due to the /var/run directory and the program not being able to create squid.pid. I amended the permissions and seems to be working fine now
 

Thanks a lot for the link, I'll implement that once I get this problem fixed. Sadly the change hasn't worked. My current /etc/fstab looks like this:


proc            /proc           proc    defaults          0       0
PARTUUID=0d001852-01  /boot           vfat    defaults          0       2
PARTUUID=0d001852-02  /               ext4    defaults,noatime  0       1
# a swapfile is not a swap partition, no line here
#   use  dphys-swapfile swap[on|off]  for that
tmpfs /cache tmpfs defaults,noatime,nosuid,size=8000m 0 0
none      /dev/shm        tmpfs  defaults        0 0

could the existing tmpfs line be causing problems?

[hidden email]
lennox-it.uk
tel: 07900 648 252



________________________________
From: L. P. H.  van Belle <[hidden email]>
To: "squid-users@squid-cache. org" <[hidden email]>
Sent: Wednesday, 19 April 2017, 11:05
Subject: Re: [squid-users] HTTPS woes



Hai,


Im guess, squid is starting to soon, or there is not /dev/shm


Check/Try adding, if not already in /etc/fstab


none      /dev/shm        tmpfs   defaults        0 0


And reboot the server.



Or, i dont know and someone else can tell you. ;-)

But on my jessie with squid 3.5.24+ssl i dont see this problem.


A small tip about the certificates on debian or ubuntu.

Install ca-certificates ( apt-get install ca-certificates )

And read : https://www.brightbox.com/blog/2014/03/04/add-cacert-ubuntu-debian/ 




Greetz,


Louis








> -----Oorspronkelijk bericht-----

> Van: squid-users

> [mailto:[hidden email]] Namens Olly Lennox

> Verzonden: woensdag 19 april 2017 11:22

> Aan: Amos Jeffries; [hidden email]

> Onderwerp: Re: [squid-users] HTTPS woes

>

> Thanks Amos, I'll install this. One last question if I may!

> Squid is working fine now with both HTTP and HTTPS but for

> some reason it is refusing to launch on boot.

>

> It works perfectly when started with "service squid start"

> but not boot. The error is:

> squid.service - LSB: Squid HTTP Proxy version 3.x

>    Loaded: loaded (/etc/init.d/squid; generated; vendor

> preset: enabled)

>    Active: failed (Result: resources) since Wed 2017-04-19

> 10:19:18 BST; 53s ago

>      Docs: man:systemd-sysv-generator(8)

>   Process: 598 ExecStart=/etc/init.d/squid start

> (code=exited, status=0/SUCCESS)

>

> Apr 19 10:19:13 raspberrypi (squid-1)[1606]:

> Ipc::Mem::Segment::open failed to

> shm_open(/squid-ssl_session_cache.shm): (2) No such file or

> direct Apr 19 10:19:13 raspberrypi squid[1283]: Squid Parent:

> (squid-1) process 1606 exited with status 1 Apr 19 10:19:16

> raspberrypi squid[1283]: Squid Parent: (squid-1) process 1633

> started Apr 19 10:19:18 raspberrypi squid[1283]: Squid

> Parent: (squid-1) process 1633 exited with status 1 Apr 19

> 10:19:18 raspberrypi squid[1283]: Squid Parent: (squid-1)

> process 1633 will not be restarted due to repeated, frequent

> failures Apr 19 10:19:18 raspberrypi squid[1283]: Exiting due

> to repeated, frequent failures Apr 19 10:19:18 raspberrypi

> systemd[1]: squid.service: Daemon never wrote its PID file. Failing.

> Apr 19 10:19:18 raspberrypi systemd[1]: Failed to start LSB:

> Squid HTTP Proxy version 3.x.

> Apr 19 10:19:18 raspberrypi systemd[1]: squid.service: Unit

> entered failed state.

> Apr 19 10:19:18 raspberrypi systemd[1]: squid.service: Failed

> with result 'resources'.

>

> Any ideas?

>

>

>

> ________________________________

> From: Amos Jeffries <[hidden email]>

> To: [hidden email]

> Sent: Wednesday, 19 April 2017, 5:22

> Subject: Re: [squid-users] HTTPS woes

>

>

>

> Olly,  Debian provides a ca-certificates package containing

> the Mozilla CA list. It is updated whenever the CA set

> changes. Though of course you should have apt connected to

> the relevant security repository (jesse-security?) for

> regular updates.

>

>

> Amos

>

>

> On 19/04/17 03:10, Olly Lennox wrote:

>

> Would you mind sharing the script you use?

> >

> >[hidden email]

> >lennox-it.uk

> >tel: 07900 648 252

> >

>


_______________________________________________

squid-users mailing list

[hidden email]

http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: HTTPS woes

Amos Jeffries
Administrator
On 20/04/17 04:30, Olly Lennox wrote:

> Sorry it's back,
>
>
> I've narrowed down the problem, hopefully someone can help. When Squid starts it creates the directory /var/run/squid as user proxy:proxy.
>
> If I remove this or leave it as is then the application won't launch on subsequent reboots.
>
> If I chown the directory as root:root then the application will launch on boot but proxy:proxy takes back ownership and it won't launch again on subsequent reboots.
>
> I'm guessing this is something to do with the running processes, does anyone know what's going wrong?
>

/var/run/squid/* is where the FHS standard requires Squid's run-time
dynamic data to be stored. The exception on some systems is the PID file
- though it should really be in there too. The Squid init script on
Debian is enforcing that.

If you have SELinux on the system it may be breaking access to HTTPS
related things since the OpenSSL features are not part of Debian
normally. For example, after initializing the ssl_db directory and
ensuring it has the correct permissions you may need to run 'restorecon
-R' on it.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: HTTPS woes

Eliezer Croitoru
In reply to this post by Olly Lennox
What OS are you using?

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]



-----Original Message-----
From: squid-users [mailto:[hidden email]] On Behalf Of Olly Lennox
Sent: Wednesday, April 19, 2017 7:30 PM
To: Olly Lennox <[hidden email]>; L. P. H. van Belle <[hidden email]>; squid-users@squid-cache. org <[hidden email]>
Subject: Re: [squid-users] HTTPS woes

Sorry it's back,


I've narrowed down the problem, hopefully someone can help. When Squid starts it creates the directory /var/run/squid as user proxy:proxy.

If I remove this or leave it as is then the application won't launch on subsequent reboots.

If I chown the directory as root:root then the application will launch on boot but proxy:proxy takes back ownership and it won't launch again on subsequent reboots.

I'm guessing this is something to do with the running processes, does anyone know what's going wrong?

Cheers,

Olly


------------
 



Never mind I've sorted it! The issue was due to the /var/run directory and the program not being able to create squid.pid. I amended the permissions and seems to be working fine now
 

Thanks a lot for the link, I'll implement that once I get this problem fixed. Sadly the change hasn't worked. My current /etc/fstab looks like this:


proc            /proc           proc    defaults          0       0
PARTUUID=0d001852-01  /boot           vfat    defaults          0       2
PARTUUID=0d001852-02  /               ext4    defaults,noatime  0       1
# a swapfile is not a swap partition, no line here
#   use  dphys-swapfile swap[on|off]  for that
tmpfs /cache tmpfs defaults,noatime,nosuid,size=8000m 0 0
none      /dev/shm        tmpfs  defaults        0 0

could the existing tmpfs line be causing problems?

[hidden email]
lennox-it.uk
tel: 07900 648 252



________________________________
From: L. P. H.  van Belle <[hidden email]>
To: "squid-users@squid-cache. org" <[hidden email]>
Sent: Wednesday, 19 April 2017, 11:05
Subject: Re: [squid-users] HTTPS woes



Hai,


Im guess, squid is starting to soon, or there is not /dev/shm


Check/Try adding, if not already in /etc/fstab


none      /dev/shm        tmpfs   defaults        0 0


And reboot the server.



Or, i dont know and someone else can tell you. ;-)

But on my jessie with squid 3.5.24+ssl i dont see this problem.


A small tip about the certificates on debian or ubuntu.

Install ca-certificates ( apt-get install ca-certificates )

And read : https://www.brightbox.com/blog/2014/03/04/add-cacert-ubuntu-debian/ 




Greetz,


Louis








> -----Oorspronkelijk bericht-----

> Van: squid-users

> [mailto:[hidden email]] Namens Olly Lennox

> Verzonden: woensdag 19 april 2017 11:22

> Aan: Amos Jeffries; [hidden email]

> Onderwerp: Re: [squid-users] HTTPS woes

>

> Thanks Amos, I'll install this. One last question if I may!

> Squid is working fine now with both HTTP and HTTPS but for

> some reason it is refusing to launch on boot.

>

> It works perfectly when started with "service squid start"

> but not boot. The error is:

> squid.service - LSB: Squid HTTP Proxy version 3.x

>    Loaded: loaded (/etc/init.d/squid; generated; vendor

> preset: enabled)

>    Active: failed (Result: resources) since Wed 2017-04-19

> 10:19:18 BST; 53s ago

>      Docs: man:systemd-sysv-generator(8)

>   Process: 598 ExecStart=/etc/init.d/squid start

> (code=exited, status=0/SUCCESS)

>

> Apr 19 10:19:13 raspberrypi (squid-1)[1606]:

> Ipc::Mem::Segment::open failed to

> shm_open(/squid-ssl_session_cache.shm): (2) No such file or

> direct Apr 19 10:19:13 raspberrypi squid[1283]: Squid Parent:

> (squid-1) process 1606 exited with status 1 Apr 19 10:19:16

> raspberrypi squid[1283]: Squid Parent: (squid-1) process 1633

> started Apr 19 10:19:18 raspberrypi squid[1283]: Squid

> Parent: (squid-1) process 1633 exited with status 1 Apr 19

> 10:19:18 raspberrypi squid[1283]: Squid Parent: (squid-1)

> process 1633 will not be restarted due to repeated, frequent

> failures Apr 19 10:19:18 raspberrypi squid[1283]: Exiting due

> to repeated, frequent failures Apr 19 10:19:18 raspberrypi

> systemd[1]: squid.service: Daemon never wrote its PID file. Failing.

> Apr 19 10:19:18 raspberrypi systemd[1]: Failed to start LSB:

> Squid HTTP Proxy version 3.x.

> Apr 19 10:19:18 raspberrypi systemd[1]: squid.service: Unit

> entered failed state.

> Apr 19 10:19:18 raspberrypi systemd[1]: squid.service: Failed

> with result 'resources'.

>

> Any ideas?

>

>

>

> ________________________________

> From: Amos Jeffries <[hidden email]>

> To: [hidden email]

> Sent: Wednesday, 19 April 2017, 5:22

> Subject: Re: [squid-users] HTTPS woes

>

>

>

> Olly,  Debian provides a ca-certificates package containing

> the Mozilla CA list. It is updated whenever the CA set

> changes. Though of course you should have apt connected to

> the relevant security repository (jesse-security?) for

> regular updates.

>

>

> Amos

>

>

> On 19/04/17 03:10, Olly Lennox wrote:

>

> Would you mind sharing the script you use?

> >

> >[hidden email]

> >lennox-it.uk

> >tel: 07900 648 252

> >

>


_______________________________________________

squid-users mailing list

[hidden email]

http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: HTTPS woes

Olly Lennox
Raspberry Pi (3) / Stretch repository (requird to build 3.5) / Squid  3.5.23

After further investigation the problem is something to do with permissions related to ssl_crtd. I can run squid as root but using the default account (proxy?) it won't run and is giving this error in cache.log:

2017/04/19 23:43:54 kid1| helperOpenServers: Starting 1/8 'ssl_crtd' processes
FATAL: Ipc::Mem::Segment::open failed to shm_open(/squid-ssl_session_cache.shm): (2) No such file or directory


I've checked the file and folder permissions across all aspects of squid and everything I can see is owned by proxy:proxy so not sure where it is failing. My config is now as follows:


acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow all

http_port 3130

http_port 3128 intercept
https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/squid.crt key=/etc/squid3/ssl_cert/squid.key options=NO_SSLv3 dhparams=/etc/squid3/ssl_cert/dhparam.pem

acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
sslproxy_cafile /etc/squid/ssl_cert/mozcacert.pem

sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/spool/squid_ssldb -M 4MB
sslcrtd_children 8 startup=1 idle=1

coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern .        0    20%    4320

cache_dir ufs /cache 400 16 256



[hidden email]
lennox-it.uk
tel: 07900 648 252



________________________________
From: Eliezer Croitoru <[hidden email]>
To: "'squid-users@squid-cache. org'" <[hidden email]>
Cc: 'Olly Lennox' <[hidden email]>; 'L. P. H. van Belle' <[hidden email]>
Sent: Wednesday, 19 April 2017, 22:24
Subject: RE: [squid-users] HTTPS woes



What OS are you using?

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]



-----Original Message-----
From: squid-users [mailto:[hidden email]] On Behalf Of Olly Lennox
Sent: Wednesday, April 19, 2017 7:30 PM
To: Olly Lennox <[hidden email]>; L. P. H. van Belle <[hidden email]>; squid-users@squid-cache. org <[hidden email]>
Subject: Re: [squid-users] HTTPS woes

Sorry it's back,


I've narrowed down the problem, hopefully someone can help. When Squid starts it creates the directory /var/run/squid as user proxy:proxy.

If I remove this or leave it as is then the application won't launch on subsequent reboots.

If I chown the directory as root:root then the application will launch on boot but proxy:proxy takes back ownership and it won't launch again on subsequent reboots.

I'm guessing this is something to do with the running processes, does anyone know what's going wrong?

Cheers,

Olly


------------




Never mind I've sorted it! The issue was due to the /var/run directory and the program not being able to create squid.pid. I amended the permissions and seems to be working fine now


Thanks a lot for the link, I'll implement that once I get this problem fixed. Sadly the change hasn't worked. My current /etc/fstab looks like this:


proc            /proc           proc    defaults          0       0
PARTUUID=0d001852-01  /boot           vfat    defaults          0       2
PARTUUID=0d001852-02  /               ext4    defaults,noatime  0       1
# a swapfile is not a swap partition, no line here
#   use  dphys-swapfile swap[on|off]  for that
tmpfs /cache tmpfs defaults,noatime,nosuid,size=8000m 0 0
none      /dev/shm        tmpfs  defaults        0 0

could the existing tmpfs line be causing problems?

[hidden email]
lennox-it.uk
tel: 07900 648 252



________________________________
From: L. P. H.  van Belle <[hidden email]>
To: "squid-users@squid-cache. org" <[hidden email]>
Sent: Wednesday, 19 April 2017, 11:05
Subject: Re: [squid-users] HTTPS woes



Hai,


Im guess, squid is starting to soon, or there is not /dev/shm


Check/Try adding, if not already in /etc/fstab


none      /dev/shm        tmpfs   defaults        0 0


And reboot the server.



Or, i dont know and someone else can tell you. ;-)

But on my jessie with squid 3.5.24+ssl i dont see this problem.


A small tip about the certificates on debian or ubuntu.

Install ca-certificates ( apt-get install ca-certificates )

And read : https://www.brightbox.com/blog/2014/03/04/add-cacert-ubuntu-debian/ 




Greetz,


Louis








> -----Oorspronkelijk bericht-----

> Van: squid-users

> [mailto:[hidden email]] Namens Olly Lennox

> Verzonden: woensdag 19 april 2017 11:22

> Aan: Amos Jeffries; [hidden email]

> Onderwerp: Re: [squid-users] HTTPS woes

>

> Thanks Amos, I'll install this. One last question if I may!

> Squid is working fine now with both HTTP and HTTPS but for

> some reason it is refusing to launch on boot.

>

> It works perfectly when started with "service squid start"

> but not boot. The error is:

> squid.service - LSB: Squid HTTP Proxy version 3.x

>    Loaded: loaded (/etc/init.d/squid; generated; vendor

> preset: enabled)

>    Active: failed (Result: resources) since Wed 2017-04-19

> 10:19:18 BST; 53s ago

>      Docs: man:systemd-sysv-generator(8)

>   Process: 598 ExecStart=/etc/init.d/squid start

> (code=exited, status=0/SUCCESS)

>

> Apr 19 10:19:13 raspberrypi (squid-1)[1606]:

> Ipc::Mem::Segment::open failed to

> shm_open(/squid-ssl_session_cache.shm): (2) No such file or

> direct Apr 19 10:19:13 raspberrypi squid[1283]: Squid Parent:

> (squid-1) process 1606 exited with status 1 Apr 19 10:19:16

> raspberrypi squid[1283]: Squid Parent: (squid-1) process 1633

> started Apr 19 10:19:18 raspberrypi squid[1283]: Squid

> Parent: (squid-1) process 1633 exited with status 1 Apr 19

> 10:19:18 raspberrypi squid[1283]: Squid Parent: (squid-1)

> process 1633 will not be restarted due to repeated, frequent

> failures Apr 19 10:19:18 raspberrypi squid[1283]: Exiting due

> to repeated, frequent failures Apr 19 10:19:18 raspberrypi

> systemd[1]: squid.service: Daemon never wrote its PID file. Failing.

> Apr 19 10:19:18 raspberrypi systemd[1]: Failed to start LSB:

> Squid HTTP Proxy version 3.x.

> Apr 19 10:19:18 raspberrypi systemd[1]: squid.service: Unit

> entered failed state.

> Apr 19 10:19:18 raspberrypi systemd[1]: squid.service: Failed

> with result 'resources'.

>

> Any ideas?

>

>

>

> ________________________________

> From: Amos Jeffries <[hidden email]>

> To: [hidden email]

> Sent: Wednesday, 19 April 2017, 5:22

> Subject: Re: [squid-users] HTTPS woes

>

>

>

> Olly,  Debian provides a ca-certificates package containing

> the Mozilla CA list. It is updated whenever the CA set

> changes. Though of course you should have apt connected to

> the relevant security repository (jesse-security?) for

> regular updates.

>

>

> Amos

>

>

> On 19/04/17 03:10, Olly Lennox wrote:

>

> Would you mind sharing the script you use?

> >

> >[hidden email]

> >lennox-it.uk

> >tel: 07900 648 252

> >

>


_______________________________________________

squid-users mailing list

[hidden email]

http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: HTTPS woes

Alex Rousskov
On 04/19/2017 04:48 PM, Olly Lennox wrote:

> After further investigation the problem is something to do with permissions related to ssl_crtd.

No, it is not (or at least not yet).


> I can run squid as root but using the default account (proxy?) it
> won't run and is giving this error in cache.log:

> 2017/04/19 23:43:54 kid1| helperOpenServers: Starting 1/8 'ssl_crtd' processes
> FATAL: Ipc::Mem::Segment::open failed to shm_open(/squid-ssl_session_cache.shm): (2) No such file or directory

The FATAL line is unrelated to the ssl_crtd line above it (this is one
of several problems with FATAL error handling in Squid).


> I've checked the file and folder permissions across all aspects of
> squid and everything I can see is owned by proxy:proxy so not sure
> where it is failing.

Squid is failing when trying to open a shared memory segment used for
storing SSL sessions. This probably means two things:

1. Your OS environment is not compatible with Squid shared memory needs
(e.g., missing /dev/shm/ or equivalent). More info at
http://wiki.squid-cache.org/Features/SmpScale#Ipc::Mem::Segment::create_failed_to_shm_open.28....29:_.282.29_No_such_file_or_directory

2. There is a bug in Squid: Squid should not create shared memory
segments when running in non-SMP mode. Please consider reporting this
bug if it has not been reported already. At the expense of losing SSL
session resumption capabilities, you should be able to work around this
bug by disabling the session cache:
http://www.squid-cache.org/Doc/config/sslproxy_session_cache_size/


HTH,

Alex.


> acl SSL_ports port 443
> acl Safe_ports port 80        # http
> acl Safe_ports port 21        # ftp
> acl Safe_ports port 443        # https
> acl Safe_ports port 70        # gopher
> acl Safe_ports port 210        # wais
> acl Safe_ports port 1025-65535    # unregistered ports
> acl Safe_ports port 280        # http-mgmt
> acl Safe_ports port 488        # gss-http
> acl Safe_ports port 591        # filemaker
> acl Safe_ports port 777        # multiling http
> acl CONNECT method CONNECT
>
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow all
>
> http_port 3130
>
> http_port 3128 intercept
> https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/squid.crt key=/etc/squid3/ssl_cert/squid.key options=NO_SSLv3 dhparams=/etc/squid3/ssl_cert/dhparam.pem
>
> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump bump all
> sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
> sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
> sslproxy_cafile /etc/squid/ssl_cert/mozcacert.pem
>
> sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/spool/squid_ssldb -M 4MB
> sslcrtd_children 8 startup=1 idle=1
>
> coredump_dir /var/spool/squid
>
> # Add any of your own refresh_pattern entries above these.
> refresh_pattern ^ftp:        1440    20%    10080
> refresh_pattern ^gopher:    1440    0%    1440
> refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
> refresh_pattern .        0    20%    4320
>
> cache_dir ufs /cache 400 16 256

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: HTTPS woes

Olly Lennox
Hi Alex,


Thanks for your response. I can confirm that disabling the ssl sesison cache seems to have resolved the issue. I found another post which references this patch to resolve the issue:

http://www.squid-cache.org/Versions/v4/changesets/squid-4-13984.patch

I've checked the source in main.cc and this seems quite different to what I have in 3.5.23 so I guess it would involve an upgrade to version 4? After the blood and tears I have gone through to get 3.5 working I don't think I'm read to make that leap yet!!

I check and the /dev/shm directory does exist with 777 permissions so from what I can see the OS should support it. I'm out of my depth here so maybe there is more to it but I can't see why squid couldn't write to this location.
[hidden email]
lennox-it.uk
tel: 07900 648 252



________________________________
From: Alex Rousskov <[hidden email]>
To: "'squid-users@squid-cache. org'" <[hidden email]>
Cc: Olly Lennox <[hidden email]>
Sent: Thursday, 20 April 2017, 0:13
Subject: Re: [squid-users] HTTPS woes



On 04/19/2017 04:48 PM, Olly Lennox wrote:

> After further investigation the problem is something to do with permissions related to ssl_crtd.

No, it is not (or at least not yet).


> I can run squid as root but using the default account (proxy?) it
> won't run and is giving this error in cache.log:

> 2017/04/19 23:43:54 kid1| helperOpenServers: Starting 1/8 'ssl_crtd' processes
> FATAL: Ipc::Mem::Segment::open failed to shm_open(/squid-ssl_session_cache.shm): (2) No such file or directory

The FATAL line is unrelated to the ssl_crtd line above it (this is one
of several problems with FATAL error handling in Squid).


> I've checked the file and folder permissions across all aspects of
> squid and everything I can see is owned by proxy:proxy so not sure
> where it is failing.

Squid is failing when trying to open a shared memory segment used for
storing SSL sessions. This probably means two things:

1. Your OS environment is not compatible with Squid shared memory needs
(e.g., missing /dev/shm/ or equivalent). More info at
http://wiki.squid-cache.org/Features/SmpScale#Ipc::Mem::Segment::create_failed_to_shm_open.28....29:_.282.29_No_such_file_or_directory

2. There is a bug in Squid: Squid should not create shared memory
segments when running in non-SMP mode. Please consider reporting this
bug if it has not been reported already. At the expense of losing SSL
session resumption capabilities, you should be able to work around this
bug by disabling the session cache:
http://www.squid-cache.org/Doc/config/sslproxy_session_cache_size/


HTH,

Alex.



> acl SSL_ports port 443
> acl Safe_ports port 80        # http
> acl Safe_ports port 21        # ftp
> acl Safe_ports port 443        # https
> acl Safe_ports port 70        # gopher
> acl Safe_ports port 210        # wais
> acl Safe_ports port 1025-65535    # unregistered ports
> acl Safe_ports port 280        # http-mgmt
> acl Safe_ports port 488        # gss-http
> acl Safe_ports port 591        # filemaker
> acl Safe_ports port 777        # multiling http
> acl CONNECT method CONNECT
>
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow all
>
> http_port 3130
>
> http_port 3128 intercept
> https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/squid.crt key=/etc/squid3/ssl_cert/squid.key options=NO_SSLv3 dhparams=/etc/squid3/ssl_cert/dhparam.pem
>
> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump bump all
> sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
> sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
> sslproxy_cafile /etc/squid/ssl_cert/mozcacert.pem
>
> sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/spool/squid_ssldb -M 4MB
> sslcrtd_children 8 startup=1 idle=1
>
> coredump_dir /var/spool/squid
>
> # Add any of your own refresh_pattern entries above these.
> refresh_pattern ^ftp:        1440    20%    10080
> refresh_pattern ^gopher:    1440    0%    1440
> refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
> refresh_pattern .        0    20%    4320
>
> cache_dir ufs /cache 400 16 256
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: HTTPS woes

Alex Rousskov
On 04/19/2017 05:35 PM, Olly Lennox wrote:

> I can confirm that disabling the ssl sesison cache seems to have resolved the issue.

Great!


> I found another post which references this patch to resolve the issue:
> http://www.squid-cache.org/Versions/v4/changesets/squid-4-13984.patch

I am not sure that patch is related to any issues I have talked about.
What "another post" did you find?


> I check and the /dev/shm directory does exist with 777 permissions so
> from what I can see the OS should support it. I'm out of my depth
> here so maybe there is more to it but I can't see why squid couldn't
> write to this location.

Forget about my "OS environment is not compatible" theory (at least for
now). I now see that Squid is failing while trying to _open_ that memory
segment as opposed to failing while _creating_ it.

Did Squid try to create it? Set debug_options to "ALL,3 54,9" and search
for "shm_" and "ssl_session_cache" in cache.log for more clues.

Alex.



> ________________________________
> From: Alex Rousskov <[hidden email]>
> To: "'squid-users@squid-cache. org'" <[hidden email]>
> Cc: Olly Lennox <[hidden email]>
> Sent: Thursday, 20 April 2017, 0:13
> Subject: Re: [squid-users] HTTPS woes
>
>
>
> On 04/19/2017 04:48 PM, Olly Lennox wrote:
>
>> After further investigation the problem is something to do with permissions related to ssl_crtd.
>
> No, it is not (or at least not yet).
>
>
>> I can run squid as root but using the default account (proxy?) it
>> won't run and is giving this error in cache.log:
>
>> 2017/04/19 23:43:54 kid1| helperOpenServers: Starting 1/8 'ssl_crtd' processes
>> FATAL: Ipc::Mem::Segment::open failed to shm_open(/squid-ssl_session_cache.shm): (2) No such file or directory
>
> The FATAL line is unrelated to the ssl_crtd line above it (this is one
> of several problems with FATAL error handling in Squid).
>
>
>> I've checked the file and folder permissions across all aspects of
>> squid and everything I can see is owned by proxy:proxy so not sure
>> where it is failing.
>
> Squid is failing when trying to open a shared memory segment used for
> storing SSL sessions. This probably means two things:
>
> 1. Your OS environment is not compatible with Squid shared memory needs
> (e.g., missing /dev/shm/ or equivalent). More info at
> http://wiki.squid-cache.org/Features/SmpScale#Ipc::Mem::Segment::create_failed_to_shm_open.28....29:_.282.29_No_such_file_or_directory
>
> 2. There is a bug in Squid: Squid should not create shared memory
> segments when running in non-SMP mode. Please consider reporting this
> bug if it has not been reported already. At the expense of losing SSL
> session resumption capabilities, you should be able to work around this
> bug by disabling the session cache:
> http://www.squid-cache.org/Doc/config/sslproxy_session_cache_size/
>
>
> HTH,
>
> Alex.
>
>
>
>> acl SSL_ports port 443
>> acl Safe_ports port 80        # http
>> acl Safe_ports port 21        # ftp
>> acl Safe_ports port 443        # https
>> acl Safe_ports port 70        # gopher
>> acl Safe_ports port 210        # wais
>> acl Safe_ports port 1025-65535    # unregistered ports
>> acl Safe_ports port 280        # http-mgmt
>> acl Safe_ports port 488        # gss-http
>> acl Safe_ports port 591        # filemaker
>> acl Safe_ports port 777        # multiling http
>> acl CONNECT method CONNECT
>>
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access allow all
>>
>> http_port 3130
>>
>> http_port 3128 intercept
>> https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/squid.crt key=/etc/squid3/ssl_cert/squid.key options=NO_SSLv3 dhparams=/etc/squid3/ssl_cert/dhparam.pem
>>
>> acl step1 at_step SslBump1
>> ssl_bump peek step1
>> ssl_bump bump all
>> sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
>> sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
>> sslproxy_cafile /etc/squid/ssl_cert/mozcacert.pem
>>
>> sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/spool/squid_ssldb -M 4MB
>> sslcrtd_children 8 startup=1 idle=1
>>
>> coredump_dir /var/spool/squid
>>
>> # Add any of your own refresh_pattern entries above these.
>> refresh_pattern ^ftp:        1440    20%    10080
>> refresh_pattern ^gopher:    1440    0%    1440
>> refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
>> refresh_pattern .        0    20%    4320
>>
>> cache_dir ufs /cache 400 16 256

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: HTTPS woes

Olly Lennox
After two and a bit weeks on this I finally have the Raspberry Pi working as a transparent proxy server utilising Diladele to provide web filtering. I'm going to trial it all for the next few weeks to ensure that it's stable but so far the results have been positive and its working with HTTP and HTTPS across Windows, IOS and Android devices.

I wanted to say a big thank you to everyone who has responded to my many messages.I'm sure there will be more to come but I wouldn't have got this far without your help so thank you very much.

FYI the following steps have been necessary:


HTTPS Squid on Raspberry Pi 3:
1. The stretch repositories are required to build squid 3.5 and should be enabled
2. after running apt-get update you should downgrade to openssl v1.0 (from v1.1) to avoid build failures
3. You must disable ecap functionality to avoid build failures, I couldn't get squid 3.5.23 to build with ecap regardless of the version of libecap I used.
4. download the 3.5.23 source from stretch and follow a guide online to configure, make, and install the packages with ssl and ssl_crtd enabled (careful with the flags if you're following a guide for an older version of squid as the syntax changed)
5. follow a guide online to install / configure squid 3.5 - specifically creating the cache folders and setting up ssl_crtd and the ssl cache
6. download the mozilla ca certs bundle (https://curl.haxx.se/ca/cacert.pem or google) which are required for HTTPS to work
7. ensure sslproxy_session_cache_size is disabled (example config below). Squid will not load on boot with this setting enabled.

8. check permissions across your squid installation (specifically cache, ssl_crtd and cerificate cache/locations) to ensure the proxy:proxy account has access
9. be careful of the runtime directories which are used. The default location on Rpi is /squid3 but this approach will move everything in /squid so be sure that you use the right one in your config
10. Ensure you generate your self-signed CA certificate/key with SHA-256 (as a minimum) to avoid cert failures in the browser.
11. Bear in mind that your CA certificate will need to be installed/trusted on any device that you wish to use HTTPS on the network

My Config:

acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow all

http_port 3130
http_port 3128 intercept
https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/squid.crt key=/etc/squid3/ssl_cert/squid.key options=NO_SSLv3

acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
sslproxy_cafile /etc/squid/ssl_cert/mozcacert.pem

sslproxy_session_cache_size 0
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/spool/squid_ssldb -M 4MB
sslcrtd_children 8 startup=1 idle=1

coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern .        0    20%    4320

cache_dir ufs /cache 400 16 256


----------------

It's worth noting that I could not get udhcpd to start on boot with the Raspberry Pi (which seemed to be the recommended DHCP server online) and had to switch to ISC to get DHCP to work. Bind works fine though and the Diladele filter also installed without a hitch so it's only really DHCP that can trip you up.

Hope this helps someone

Olly

 
[hidden email]
lennox-it.uk
tel: 07900 648 252



________________________________
From: Alex Rousskov <[hidden email]>
To: "'squid-users@squid-cache. org'" <[hidden email]>
Cc: Olly Lennox <[hidden email]>
Sent: Thursday, 20 April 2017, 1:21
Subject: Re: [squid-users] HTTPS woes



On 04/19/2017 05:35 PM, Olly Lennox wrote:

> I can confirm that disabling the ssl sesison cache seems to have resolved the issue.

Great!


> I found another post which references this patch to resolve the issue:
> http://www.squid-cache.org/Versions/v4/changesets/squid-4-13984.patch

I am not sure that patch is related to any issues I have talked about.
What "another post" did you find?


> I check and the /dev/shm directory does exist with 777 permissions so
> from what I can see the OS should support it. I'm out of my depth
> here so maybe there is more to it but I can't see why squid couldn't
> write to this location.

Forget about my "OS environment is not compatible" theory (at least for
now). I now see that Squid is failing while trying to _open_ that memory
segment as opposed to failing while _creating_ it.

Did Squid try to create it? Set debug_options to "ALL,3 54,9" and search
for "shm_" and "ssl_session_cache" in cache.log for more clues.


Alex.



> ________________________________
> From: Alex Rousskov <[hidden email]>
> To: "'squid-users@squid-cache. org'" <[hidden email]>
> Cc: Olly Lennox <[hidden email]>
> Sent: Thursday, 20 April 2017, 0:13
> Subject: Re: [squid-users] HTTPS woes
>
>
>
> On 04/19/2017 04:48 PM, Olly Lennox wrote:
>
>> After further investigation the problem is something to do with permissions related to ssl_crtd.
>
> No, it is not (or at least not yet).
>
>
>> I can run squid as root but using the default account (proxy?) it
>> won't run and is giving this error in cache.log:
>
>> 2017/04/19 23:43:54 kid1| helperOpenServers: Starting 1/8 'ssl_crtd' processes
>> FATAL: Ipc::Mem::Segment::open failed to shm_open(/squid-ssl_session_cache.shm): (2) No such file or directory
>
> The FATAL line is unrelated to the ssl_crtd line above it (this is one
> of several problems with FATAL error handling in Squid).
>
>
>> I've checked the file and folder permissions across all aspects of
>> squid and everything I can see is owned by proxy:proxy so not sure
>> where it is failing.
>
> Squid is failing when trying to open a shared memory segment used for
> storing SSL sessions. This probably means two things:
>
> 1. Your OS environment is not compatible with Squid shared memory needs
> (e.g., missing /dev/shm/ or equivalent). More info at
> http://wiki.squid-cache.org/Features/SmpScale#Ipc::Mem::Segment::create_failed_to_shm_open.28....29:_.282.29_No_such_file_or_directory
>
> 2. There is a bug in Squid: Squid should not create shared memory
> segments when running in non-SMP mode. Please consider reporting this
> bug if it has not been reported already. At the expense of losing SSL
> session resumption capabilities, you should be able to work around this
> bug by disabling the session cache:
> http://www.squid-cache.org/Doc/config/sslproxy_session_cache_size/
>
>
> HTH,
>
> Alex.
>
>
>
>> acl SSL_ports port 443
>> acl Safe_ports port 80        # http
>> acl Safe_ports port 21        # ftp
>> acl Safe_ports port 443        # https
>> acl Safe_ports port 70        # gopher
>> acl Safe_ports port 210        # wais
>> acl Safe_ports port 1025-65535    # unregistered ports
>> acl Safe_ports port 280        # http-mgmt
>> acl Safe_ports port 488        # gss-http
>> acl Safe_ports port 591        # filemaker
>> acl Safe_ports port 777        # multiling http
>> acl CONNECT method CONNECT
>>
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access allow all
>>
>> http_port 3130
>>
>> http_port 3128 intercept
>> https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/squid.crt key=/etc/squid3/ssl_cert/squid.key options=NO_SSLv3 dhparams=/etc/squid3/ssl_cert/dhparam.pem
>>
>> acl step1 at_step SslBump1
>> ssl_bump peek step1
>> ssl_bump bump all
>> sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
>> sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
>> sslproxy_cafile /etc/squid/ssl_cert/mozcacert.pem
>>
>> sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/spool/squid_ssldb -M 4MB
>> sslcrtd_children 8 startup=1 idle=1
>>
>> coredump_dir /var/spool/squid
>>
>> # Add any of your own refresh_pattern entries above these.
>> refresh_pattern ^ftp:        1440    20%    10080
>> refresh_pattern ^gopher:    1440    0%    1440
>> refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
>> refresh_pattern .        0    20%    4320
>>
>> cache_dir ufs /cache 400 16 256
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
12