Squid 4.11 Howto create SSL Bump certificates with only 3-12 months date of expiry

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid 4.11 Howto create SSL Bump certificates with only 3-12 months date of expiry

Schroeffu

Hi Squid Community,

how can I configure Squid to create SSL Bump Certifications with only 3-12 months date of expiry?

Currently, Squid SSL bumped Certifications are valid 20 years in my case, way too long, as Apple & Google & Mozilla will trust only <1 Year SSL certifications in the future.

Thanks for any help!
Schroeffu

my conf:

http_port {{ inventory_hostname }}:{{ squid_port }} ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/(***).pem key=/etc/squid/certs/(***).pem
sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/ssl_db -M 4MB
always_direct allow all
ssl_bump bump !domains_dont_sslbump

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 4.11 Howto create SSL Bump certificates with only 3-12 months date of expiry

Amos Jeffries
Administrator
On 30/06/20 3:13 am, info wrote:
>
> Hi Squid Community,
>
> how can I configure Squid to create SSL Bump Certifications with only
> 3-12 months date of expiry?
>

As you know Squid uses a helper to generate the certificates. You can
write a helper of your own to generate certificates with any
customizations you like.


> Currently, Squid SSL bumped Certifications are valid 20 years in my
> case, way too long, as Apple & Google & Mozilla will trust only <1 Year
> SSL certifications in the future.
>

The helper bundled with Squid is supposed to be generating certificates
that mimic the same values received from the origin server.

... except that your config below shows that you are requiring
certificates to be generated without any origin Server information.
Which IIRC means that the CA certificate you configured is used as the
information source for dates etc.


> Thanks for any help!
> Schroeffu
>
> my conf:
>
> http_port {{ inventory_hostname }}:{{ squid_port }} ssl-bump
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> cert=/etc/squid/certs/(***).pem key=/etc/squid/certs/(***).pem
> sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/ssl_db
> -M 4MB
> always_direct allow all

always_direct is *not* required for SSL-Bump. It was only ever needed
for a 2-week period many years ago for a bug workaround. Please remove
unless you explicitly have other reasons to use it.

> ssl_bump bump !domains_dont_sslbump

There are three solutions you might use. In order of best to worst they are:

1) Fix the ssl_bump behaviour:

 acl step1 at_step SslBump1
 ssl_bump peek step1
 ssl_bump splice domains_dont_sslbump
 ssl_bump stare all
 ssl_bump bump all


2) Fix the CA certificate you are using

Check the dates configured there give that cert a sort validity time. I
expect you have one saying 20-years right now.

You may want to do this even if you do option #1 above.


3) write your own cert generator helper


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 4.11 Howto create SSL Bump certificates with only 3-12 months date of expiry

Alex Rousskov
In reply to this post by Schroeffu
On 6/29/20 11:13 AM, [hidden email] wrote:

> how can I configure Squid to create SSL Bump Certifications with only
> 3-12 months date of expiry?

See sslproxy_cert_adapt and its setValidAfter/setValidBefore algorithms.
You will need to use the corresponding dates in your fake CA. These
algorithms copy the dates from your fake CA to the generated certificate.

    http://www.squid-cache.org/Doc/config/sslproxy_cert_adapt/

HTH,

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users