sslcrtvalidator_program

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

sslcrtvalidator_program

Eliezer Croitoru-3
I am trying to understand the way the sslcrtvalidator_program  works.
I am pretty sure I have asked this in the past but didn’t found it for some
reason.

I want to read line by line so.
/^-----BEGIN CERTIFICATE-----$/
***
/^-----END CERTIFICATE-----$/

What else should I look for? I was thinking about validating with some extra
values in the request, for example ip/domain:port and sni.
Are these available in some way?

Thanks,
Eliezer

----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: [hidden email]


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: sslcrtvalidator_program

Amos Jeffries
Administrator
On 14/12/20 9:11 am, Eliezer Croitor wrote:

> I am trying to understand the way the sslcrtvalidator_program  works.
> I am pretty sure I have asked this in the past but didn’t found it for some
> reason.
>
> I want to read line by line so.
> /^-----BEGIN CERTIFICATE-----$/
> ***
> /^-----END CERTIFICATE-----$/
>
> What else should I look for? I was thinking about validating with some extra
> values in the request, for example ip/domain:port and sni.
> Are these available in some way?


The details you need are all here:

 
<https://wiki.squid-cache.org/Features/AddonHelpers#SSL_server_certificate_validator>

Notice that it receives chains of certificates - maybe several, and/or
out of order. Whatever the client sends.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: sslcrtvalidator_program

Eliezer Croitoru-3
So starts with:
0 cert_validate... line

And ends with?:
error_name_0=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
error_cert_0=cert0
?

I am unsure, let me try to re-read this section.
I am missing a fake helper for this..
And a "real world" full example.

Can someone simulate it for me?

Thanks,
Eliezer

----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: [hidden email]

-----Original Message-----
From: squid-users <[hidden email]> On Behalf Of Amos Jeffries
Sent: Monday, December 14, 2020 10:15 AM
To: [hidden email]
Subject: Re: [squid-users] sslcrtvalidator_program

On 14/12/20 9:11 am, Eliezer Croitor wrote:

> I am trying to understand the way the sslcrtvalidator_program  works.
> I am pretty sure I have asked this in the past but didn’t found it for some
> reason.
>
> I want to read line by line so.
> /^-----BEGIN CERTIFICATE-----$/
> ***
> /^-----END CERTIFICATE-----$/
>
> What else should I look for? I was thinking about validating with some extra
> values in the request, for example ip/domain:port and sni.
> Are these available in some way?


The details you need are all here:

 
<https://wiki.squid-cache.org/Features/AddonHelpers#SSL_server_certificate_validator>

Notice that it receives chains of certificates - maybe several, and/or
out of order. Whatever the client sends.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: sslcrtvalidator_program

Eliezer Croitoru-3
Found the helper at:

https://github.com/squid-cache/squid/blob/9837567dd913854a4deddcc49043bfd7631ab63f/src/security/cert_validators/fake/security_fake_certverify.pl.in


----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: [hidden email]

-----Original Message-----
From: Eliezer Croitor <[hidden email]>
Sent: Monday, December 14, 2020 11:27 AM
To: 'Amos Jeffries' <[hidden email]>
Cc: [hidden email]
Subject: RE: [squid-users] sslcrtvalidator_program

So starts with:
0 cert_validate... line

And ends with?:
error_name_0=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
error_cert_0=cert0
?

I am unsure, let me try to re-read this section.
I am missing a fake helper for this..
And a "real world" full example.

Can someone simulate it for me?

Thanks,
Eliezer

----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: [hidden email]

-----Original Message-----
From: squid-users <[hidden email]> On Behalf Of Amos Jeffries
Sent: Monday, December 14, 2020 10:15 AM
To: [hidden email]
Subject: Re: [squid-users] sslcrtvalidator_program

On 14/12/20 9:11 am, Eliezer Croitor wrote:

> I am trying to understand the way the sslcrtvalidator_program  works.
> I am pretty sure I have asked this in the past but didn’t found it for some
> reason.
>
> I want to read line by line so.
> /^-----BEGIN CERTIFICATE-----$/
> ***
> /^-----END CERTIFICATE-----$/
>
> What else should I look for? I was thinking about validating with some extra
> values in the request, for example ip/domain:port and sni.
> Are these available in some way?


The details you need are all here:

 
<https://wiki.squid-cache.org/Features/AddonHelpers#SSL_server_certificate_validator>

Notice that it receives chains of certificates - maybe several, and/or
out of order. Whatever the client sends.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: sslcrtvalidator_program

Alex Rousskov
In reply to this post by Eliezer Croitoru-3
On 12/14/20 4:26 AM, Eliezer Croitor wrote:
> So starts with:
> 0 cert_validate... line

> And ends with?:
> error_name_0=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
> error_cert_0=cert0
> ?

No. The size of the key=value block is specified on the first request
line. Please try to follow documentation that Amos has pointed you to:
https://wiki.squid-cache.org/Features/AddonHelpers#SSL_server_certificate_validator

If that documentation is missing some details, we should fix it.



> I am unsure, let me try to re-read this section.
> I am missing a fake helper for this..
> And a "real world" full example.

> Can someone simulate it for me?

Glad you found
src/security/cert_validators/fake/security_fake_certverify.pl.in. I hope
it still works!


HTH,

Alex.


> -----Original Message-----
> From: squid-users <[hidden email]> On Behalf Of Amos Jeffries
> Sent: Monday, December 14, 2020 10:15 AM
> To: [hidden email]
> Subject: Re: [squid-users] sslcrtvalidator_program
>
> On 14/12/20 9:11 am, Eliezer Croitor wrote:
>> I am trying to understand the way the sslcrtvalidator_program  works.
>> I am pretty sure I have asked this in the past but didn’t found it for some
>> reason.
>>
>> I want to read line by line so.
>> /^-----BEGIN CERTIFICATE-----$/
>> ***
>> /^-----END CERTIFICATE-----$/
>>
>> What else should I look for? I was thinking about validating with some extra
>> values in the request, for example ip/domain:port and sni.
>> Are these available in some way?
>
>
> The details you need are all here:
>
>  
> <https://wiki.squid-cache.org/Features/AddonHelpers#SSL_server_certificate_validator>
>
> Notice that it receives chains of certificates - maybe several, and/or
> out of order. Whatever the client sends.
>
>
> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: sslcrtvalidator_program

Eliezer Croitoru-3
Seems to work:
This one output stream.
We can use this as an example for a single transaction in the wiki:
https://gist.githubusercontent.com/elico/a0397c879776336eeae569317015edc1/raw/b34dff8ece76e480007a950655efff3564afcccc/cache.log

Let me know if it's enough to document this subject.

Thanks,
Eliezer

----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: [hidden email]

-----Original Message-----
From: Alex Rousskov <[hidden email]>
Sent: Monday, December 14, 2020 6:42 PM
To: [hidden email]
Cc: Eliezer Croitor <[hidden email]>
Subject: Re: [squid-users] sslcrtvalidator_program

On 12/14/20 4:26 AM, Eliezer Croitor wrote:
> So starts with:
> 0 cert_validate... line

> And ends with?:
> error_name_0=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
> error_cert_0=cert0
> ?

No. The size of the key=value block is specified on the first request
line. Please try to follow documentation that Amos has pointed you to:
https://wiki.squid-cache.org/Features/AddonHelpers#SSL_server_certificate_validator

If that documentation is missing some details, we should fix it.



> I am unsure, let me try to re-read this section.
> I am missing a fake helper for this..
> And a "real world" full example.

> Can someone simulate it for me?

Glad you found
src/security/cert_validators/fake/security_fake_certverify.pl.in. I hope
it still works!


HTH,

Alex.


> -----Original Message-----
> From: squid-users <[hidden email]> On Behalf Of Amos Jeffries
> Sent: Monday, December 14, 2020 10:15 AM
> To: [hidden email]
> Subject: Re: [squid-users] sslcrtvalidator_program
>
> On 14/12/20 9:11 am, Eliezer Croitor wrote:
>> I am trying to understand the way the sslcrtvalidator_program  works.
>> I am pretty sure I have asked this in the past but didn’t found it for some
>> reason.
>>
>> I want to read line by line so.
>> /^-----BEGIN CERTIFICATE-----$/
>> ***
>> /^-----END CERTIFICATE-----$/
>>
>> What else should I look for? I was thinking about validating with some extra
>> values in the request, for example ip/domain:port and sni.
>> Are these available in some way?
>
>
> The details you need are all here:
>
>  
> <https://wiki.squid-cache.org/Features/AddonHelpers#SSL_server_certificate_validator>
>
> Notice that it receives chains of certificates - maybe several, and/or
> out of order. Whatever the client sends.
>
>
> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: sslcrtvalidator_program

Alex Rousskov
On 12/14/20 1:55 PM, Eliezer Croitor wrote:

> We can use this as an example for a single transaction in the wiki:
> https://gist.githubusercontent.com/elico/a0397c879776336eeae569317015edc1/raw/b34dff8ece76e480007a950655efff3564afcccc/cache.log

> Let me know if it's enough to document this subject.

I am not sure I understand your question -- the format is already
documented. If you think that attaching an example of a raw helper
request to that wiki page would help others, please feel free to do so!
Just avoid the implication that all helper requests would have the same
set of fields.

Alex.


> -----Original Message-----
> From: Alex Rousskov <[hidden email]>
> Sent: Monday, December 14, 2020 6:42 PM
> To: [hidden email]
> Cc: Eliezer Croitor <[hidden email]>
> Subject: Re: [squid-users] sslcrtvalidator_program
>
> On 12/14/20 4:26 AM, Eliezer Croitor wrote:
>> So starts with:
>> 0 cert_validate... line
>
>> And ends with?:
>> error_name_0=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
>> error_cert_0=cert0
>> ?
>
> No. The size of the key=value block is specified on the first request
> line. Please try to follow documentation that Amos has pointed you to:
> https://wiki.squid-cache.org/Features/AddonHelpers#SSL_server_certificate_validator
>
> If that documentation is missing some details, we should fix it.
>
>
>
>> I am unsure, let me try to re-read this section.
>> I am missing a fake helper for this..
>> And a "real world" full example.
>
>> Can someone simulate it for me?
>
> Glad you found
> src/security/cert_validators/fake/security_fake_certverify.pl.in. I hope
> it still works!
>
>
> HTH,
>
> Alex.
>
>
>> -----Original Message-----
>> From: squid-users <[hidden email]> On Behalf Of Amos Jeffries
>> Sent: Monday, December 14, 2020 10:15 AM
>> To: [hidden email]
>> Subject: Re: [squid-users] sslcrtvalidator_program
>>
>> On 14/12/20 9:11 am, Eliezer Croitor wrote:
>>> I am trying to understand the way the sslcrtvalidator_program  works.
>>> I am pretty sure I have asked this in the past but didn’t found it for some
>>> reason.
>>>
>>> I want to read line by line so.
>>> /^-----BEGIN CERTIFICATE-----$/
>>> ***
>>> /^-----END CERTIFICATE-----$/
>>>
>>> What else should I look for? I was thinking about validating with some extra
>>> values in the request, for example ip/domain:port and sni.
>>> Are these available in some way?
>>
>>
>> The details you need are all here:
>>
>>  
>> <https://wiki.squid-cache.org/Features/AddonHelpers#SSL_server_certificate_validator>
>>
>> Notice that it receives chains of certificates - maybe several, and/or
>> out of order. Whatever the client sends.
>>
>>
>> Amos
>> _______________________________________________
>> squid-users mailing list
>> [hidden email]
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>> _______________________________________________
>> squid-users mailing list
>> [hidden email]
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: sslcrtvalidator_program

Eliezer Croitoru-3
Hey Alex,

Indeed the format is documented.
However I didn't managed to use the wiki to understand how to parse a single transaction.
I wrote a simple ruby helper but squid claims it crashes rapidly.

Since probably nobody else is willing to do some pipelining job I assume it's on me...
I will try later on the next year to write some ruby code that will make sense to others as well.

I understand what you are saying/writing but from what I see some in the market do not want to pay.
I do not know the reason for this and I am ok in general with BSD style but..
Look at: https://artica-proxy.com/about-webfiltering/

They want a specific price, Should I start charging for my work?

Thanks,
Eliezer

----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: [hidden email]

-----Original Message-----
From: Alex Rousskov <[hidden email]>
Sent: Monday, December 14, 2020 9:05 PM
To: [hidden email]
Cc: Eliezer Croitor <[hidden email]>
Subject: Re: [squid-users] sslcrtvalidator_program

On 12/14/20 1:55 PM, Eliezer Croitor wrote:

> We can use this as an example for a single transaction in the wiki:
> https://gist.githubusercontent.com/elico/a0397c879776336eeae569317015edc1/raw/b34dff8ece76e480007a950655efff3564afcccc/cache.log

> Let me know if it's enough to document this subject.

I am not sure I understand your question -- the format is already
documented. If you think that attaching an example of a raw helper
request to that wiki page would help others, please feel free to do so!
Just avoid the implication that all helper requests would have the same
set of fields.

Alex.


> -----Original Message-----
> From: Alex Rousskov <[hidden email]>
> Sent: Monday, December 14, 2020 6:42 PM
> To: [hidden email]
> Cc: Eliezer Croitor <[hidden email]>
> Subject: Re: [squid-users] sslcrtvalidator_program
>
> On 12/14/20 4:26 AM, Eliezer Croitor wrote:
>> So starts with:
>> 0 cert_validate... line
>
>> And ends with?:
>> error_name_0=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
>> error_cert_0=cert0
>> ?
>
> No. The size of the key=value block is specified on the first request
> line. Please try to follow documentation that Amos has pointed you to:
> https://wiki.squid-cache.org/Features/AddonHelpers#SSL_server_certificate_validator
>
> If that documentation is missing some details, we should fix it.
>
>
>
>> I am unsure, let me try to re-read this section.
>> I am missing a fake helper for this..
>> And a "real world" full example.
>
>> Can someone simulate it for me?
>
> Glad you found
> src/security/cert_validators/fake/security_fake_certverify.pl.in. I hope
> it still works!
>
>
> HTH,
>
> Alex.
>
>
>> -----Original Message-----
>> From: squid-users <[hidden email]> On Behalf Of Amos Jeffries
>> Sent: Monday, December 14, 2020 10:15 AM
>> To: [hidden email]
>> Subject: Re: [squid-users] sslcrtvalidator_program
>>
>> On 14/12/20 9:11 am, Eliezer Croitor wrote:
>>> I am trying to understand the way the sslcrtvalidator_program  works.
>>> I am pretty sure I have asked this in the past but didn’t found it for some
>>> reason.
>>>
>>> I want to read line by line so.
>>> /^-----BEGIN CERTIFICATE-----$/
>>> ***
>>> /^-----END CERTIFICATE-----$/
>>>
>>> What else should I look for? I was thinking about validating with some extra
>>> values in the request, for example ip/domain:port and sni.
>>> Are these available in some way?
>>
>>
>> The details you need are all here:
>>
>>  
>> <https://wiki.squid-cache.org/Features/AddonHelpers#SSL_server_certificate_validator>
>>
>> Notice that it receives chains of certificates - maybe several, and/or
>> out of order. Whatever the client sends.
>>
>>
>> Amos
>> _______________________________________________
>> squid-users mailing list
>> [hidden email]
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>> _______________________________________________
>> squid-users mailing list
>> [hidden email]
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: sslcrtvalidator_program

Alex Rousskov
On 12/14/20 2:15 PM, Eliezer Croitor wrote:

> I wrote a simple ruby helper but squid claims it crashes rapidly.

> Since probably nobody else is willing to do some pipelining job I
> assume it's on me...

> I understand what you are saying/writing but from what I see some in
> the market do not want to pay.

I am sorry, but you lost me here. I do not understand the connection
between your earlier questions (which Amos and I tried to answer) and
the above statements.

Alex.


> -----Original Message-----
> From: Alex Rousskov <[hidden email]>
> Sent: Monday, December 14, 2020 9:05 PM
> To: [hidden email]
> Cc: Eliezer Croitor <[hidden email]>
> Subject: Re: [squid-users] sslcrtvalidator_program
>
> On 12/14/20 1:55 PM, Eliezer Croitor wrote:
>
>> We can use this as an example for a single transaction in the wiki:
>> https://gist.githubusercontent.com/elico/a0397c879776336eeae569317015edc1/raw/b34dff8ece76e480007a950655efff3564afcccc/cache.log
>
>> Let me know if it's enough to document this subject.
>
> I am not sure I understand your question -- the format is already
> documented. If you think that attaching an example of a raw helper
> request to that wiki page would help others, please feel free to do so!
> Just avoid the implication that all helper requests would have the same
> set of fields.
>
> Alex.
>
>
>> -----Original Message-----
>> From: Alex Rousskov <[hidden email]>
>> Sent: Monday, December 14, 2020 6:42 PM
>> To: [hidden email]
>> Cc: Eliezer Croitor <[hidden email]>
>> Subject: Re: [squid-users] sslcrtvalidator_program
>>
>> On 12/14/20 4:26 AM, Eliezer Croitor wrote:
>>> So starts with:
>>> 0 cert_validate... line
>>
>>> And ends with?:
>>> error_name_0=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
>>> error_cert_0=cert0
>>> ?
>>
>> No. The size of the key=value block is specified on the first request
>> line. Please try to follow documentation that Amos has pointed you to:
>> https://wiki.squid-cache.org/Features/AddonHelpers#SSL_server_certificate_validator
>>
>> If that documentation is missing some details, we should fix it.
>>
>>
>>
>>> I am unsure, let me try to re-read this section.
>>> I am missing a fake helper for this..
>>> And a "real world" full example.
>>
>>> Can someone simulate it for me?
>>
>> Glad you found
>> src/security/cert_validators/fake/security_fake_certverify.pl.in. I hope
>> it still works!
>>
>>
>> HTH,
>>
>> Alex.
>>
>>
>>> -----Original Message-----
>>> From: squid-users <[hidden email]> On Behalf Of Amos Jeffries
>>> Sent: Monday, December 14, 2020 10:15 AM
>>> To: [hidden email]
>>> Subject: Re: [squid-users] sslcrtvalidator_program
>>>
>>> On 14/12/20 9:11 am, Eliezer Croitor wrote:
>>>> I am trying to understand the way the sslcrtvalidator_program  works.
>>>> I am pretty sure I have asked this in the past but didn’t found it for some
>>>> reason.
>>>>
>>>> I want to read line by line so.
>>>> /^-----BEGIN CERTIFICATE-----$/
>>>> ***
>>>> /^-----END CERTIFICATE-----$/
>>>>
>>>> What else should I look for? I was thinking about validating with some extra
>>>> values in the request, for example ip/domain:port and sni.
>>>> Are these available in some way?
>>>
>>>
>>> The details you need are all here:
>>>
>>>  
>>> <https://wiki.squid-cache.org/Features/AddonHelpers#SSL_server_certificate_validator>
>>>
>>> Notice that it receives chains of certificates - maybe several, and/or
>>> out of order. Whatever the client sends.
>>>
>>>
>>> Amos
>>> _______________________________________________
>>> squid-users mailing list
>>> [hidden email]
>>> http://lists.squid-cache.org/listinfo/squid-users
>>>
>>> _______________________________________________
>>> squid-users mailing list
>>> [hidden email]
>>> http://lists.squid-cache.org/listinfo/squid-users
>>>
>>
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: sslcrtvalidator_program

Eliezer Croitoru-3
Alex sorry,

There is no connection between you or this sentence.
I don't know why these things keep popping up while I'm sending emails.
The AV should have blocked this proofing software from pasting things while I'm writing but,
sometimes the desktop works in mysteries ways.
... Delete the quoted sentence in the email...

Both of you indeed are answering so again thanks.
Eliezer

----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: [hidden email]

-----Original Message-----
From: Alex Rousskov <[hidden email]>
Sent: Monday, December 14, 2020 9:31 PM
To: [hidden email]
Cc: Eliezer Croitor <[hidden email]>
Subject: Re: [squid-users] sslcrtvalidator_program

On 12/14/20 2:15 PM, Eliezer Croitor wrote:

> I wrote a simple ruby helper but squid claims it crashes rapidly.

> Since probably nobody else is willing to do some pipelining job I
> assume it's on me...

> I understand what you are saying/writing but from what I see some in
> the market do not want to pay.

I am sorry, but you lost me here. I do not understand the connection
between your earlier questions (which Amos and I tried to answer) and
the above statements.

Alex.


> -----Original Message-----
> From: Alex Rousskov <[hidden email]>
> Sent: Monday, December 14, 2020 9:05 PM
> To: [hidden email]
> Cc: Eliezer Croitor <[hidden email]>
> Subject: Re: [squid-users] sslcrtvalidator_program
>
> On 12/14/20 1:55 PM, Eliezer Croitor wrote:
>
>> We can use this as an example for a single transaction in the wiki:
>> https://gist.githubusercontent.com/elico/a0397c879776336eeae569317015edc1/raw/b34dff8ece76e480007a950655efff3564afcccc/cache.log
>
>> Let me know if it's enough to document this subject.
>
> I am not sure I understand your question -- the format is already
> documented. If you think that attaching an example of a raw helper
> request to that wiki page would help others, please feel free to do so!
> Just avoid the implication that all helper requests would have the same
> set of fields.
>
> Alex.
>
>
>> -----Original Message-----
>> From: Alex Rousskov <[hidden email]>
>> Sent: Monday, December 14, 2020 6:42 PM
>> To: [hidden email]
>> Cc: Eliezer Croitor <[hidden email]>
>> Subject: Re: [squid-users] sslcrtvalidator_program
>>
>> On 12/14/20 4:26 AM, Eliezer Croitor wrote:
>>> So starts with:
>>> 0 cert_validate... line
>>
>>> And ends with?:
>>> error_name_0=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
>>> error_cert_0=cert0
>>> ?
>>
>> No. The size of the key=value block is specified on the first request
>> line. Please try to follow documentation that Amos has pointed you to:
>> https://wiki.squid-cache.org/Features/AddonHelpers#SSL_server_certificate_validator
>>
>> If that documentation is missing some details, we should fix it.
>>
>>
>>
>>> I am unsure, let me try to re-read this section.
>>> I am missing a fake helper for this..
>>> And a "real world" full example.
>>
>>> Can someone simulate it for me?
>>
>> Glad you found
>> src/security/cert_validators/fake/security_fake_certverify.pl.in. I hope
>> it still works!
>>
>>
>> HTH,
>>
>> Alex.
>>
>>
>>> -----Original Message-----
>>> From: squid-users <[hidden email]> On Behalf Of Amos Jeffries
>>> Sent: Monday, December 14, 2020 10:15 AM
>>> To: [hidden email]
>>> Subject: Re: [squid-users] sslcrtvalidator_program
>>>
>>> On 14/12/20 9:11 am, Eliezer Croitor wrote:
>>>> I am trying to understand the way the sslcrtvalidator_program  works.
>>>> I am pretty sure I have asked this in the past but didn’t found it for some
>>>> reason.
>>>>
>>>> I want to read line by line so.
>>>> /^-----BEGIN CERTIFICATE-----$/
>>>> ***
>>>> /^-----END CERTIFICATE-----$/
>>>>
>>>> What else should I look for? I was thinking about validating with some extra
>>>> values in the request, for example ip/domain:port and sni.
>>>> Are these available in some way?
>>>
>>>
>>> The details you need are all here:
>>>
>>>  
>>> <https://wiki.squid-cache.org/Features/AddonHelpers#SSL_server_certificate_validator>
>>>
>>> Notice that it receives chains of certificates - maybe several, and/or
>>> out of order. Whatever the client sends.
>>>
>>>
>>> Amos
>>> _______________________________________________
>>> squid-users mailing list
>>> [hidden email]
>>> http://lists.squid-cache.org/listinfo/squid-users
>>>
>>> _______________________________________________
>>> squid-users mailing list
>>> [hidden email]
>>> http://lists.squid-cache.org/listinfo/squid-users
>>>
>>
>


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: sslcrtvalidator_program

Eliezer Croitoru-3
In reply to this post by Alex Rousskov
Hey Alex,

I have tried to read the documentation and to compose a single certificate validation "call" or "request".
The issue with this is that I am unable to do that.
It would help a lot if a single verification request would be public and available to me and maybe others.
The example shows:
0 cert_validate 1519 host=dmz.example-domain.com
cert_0=-----BEGIN CERTIFICATE-----
MIID+DCCA2GgAwIBAgIJAIDcHRUxB2O4MA0GCSqGSIb3DQEBBAUAMIGvMQswCQYD
...
YpVJGt5CJuNfCcB/
-----END CERTIFICATE-----
error_name_0=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
error_cert_0=cert0

so where ix the 0x01 byte and where are the new lines?
Maybe it's written but I do not see it like in the examples of the external_acl helpres.
My assumption for now is that:
## START
0 cert_validate 1519 host=dmz.example-domain.com0x01
cert_0=-----BEGIN CERTIFICATE-----0x01
MIID+DCCA2GgAwIBAgIJAIDcHRUxB2O4MA0GCSqGSIb3DQEBBAUAMIGvMQswCQYD0x01
...
YpVJGt5CJuNfCcB/0x01
-----END CERTIFICATE-----0x01
error_name_0=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT0x01
error_cert_0=cert0\n
## END

I am pretty sure I am wrong since the helper I wrote doesn't work.

In bash I thing I can use the next echo:
echo -n -e 'test\x01'

to emulate it but I still don't get it right.

Hope for a hint about the subject.

Thanks,
Eliezer

----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: [hidden email]
Zoom: Coming soon


-----Original Message-----
From: Alex Rousskov <[hidden email]>
Sent: Monday, December 14, 2020 9:05 PM
To: [hidden email]
Cc: Eliezer Croitor <[hidden email]>
Subject: Re: [squid-users] sslcrtvalidator_program

On 12/14/20 1:55 PM, Eliezer Croitor wrote:

> We can use this as an example for a single transaction in the wiki:
> https://gist.githubusercontent.com/elico/a0397c879776336eeae569317015edc1/raw/b34dff8ece76e480007a950655efff3564afcccc/cache.log

> Let me know if it's enough to document this subject.

I am not sure I understand your question -- the format is already
documented. If you think that attaching an example of a raw helper
request to that wiki page would help others, please feel free to do so!
Just avoid the implication that all helper requests would have the same
set of fields.

Alex.


> -----Original Message-----
> From: Alex Rousskov <[hidden email]>
> Sent: Monday, December 14, 2020 6:42 PM
> To: [hidden email]
> Cc: Eliezer Croitor <[hidden email]>
> Subject: Re: [squid-users] sslcrtvalidator_program
>
> On 12/14/20 4:26 AM, Eliezer Croitor wrote:
>> So starts with:
>> 0 cert_validate... line
>
>> And ends with?:
>> error_name_0=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
>> error_cert_0=cert0
>> ?
>
> No. The size of the key=value block is specified on the first request
> line. Please try to follow documentation that Amos has pointed you to:
> https://wiki.squid-cache.org/Features/AddonHelpers#SSL_server_certificate_validator
>
> If that documentation is missing some details, we should fix it.
>
>
>
>> I am unsure, let me try to re-read this section.
>> I am missing a fake helper for this..
>> And a "real world" full example.
>
>> Can someone simulate it for me?
>
> Glad you found
> src/security/cert_validators/fake/security_fake_certverify.pl.in. I hope
> it still works!
>
>
> HTH,
>
> Alex.
>
>
>> -----Original Message-----
>> From: squid-users <[hidden email]> On Behalf Of Amos Jeffries
>> Sent: Monday, December 14, 2020 10:15 AM
>> To: [hidden email]
>> Subject: Re: [squid-users] sslcrtvalidator_program
>>
>> On 14/12/20 9:11 am, Eliezer Croitor wrote:
>>> I am trying to understand the way the sslcrtvalidator_program  works.
>>> I am pretty sure I have asked this in the past but didn’t found it for some
>>> reason.
>>>
>>> I want to read line by line so.
>>> /^-----BEGIN CERTIFICATE-----$/
>>> ***
>>> /^-----END CERTIFICATE-----$/
>>>
>>> What else should I look for? I was thinking about validating with some extra
>>> values in the request, for example ip/domain:port and sni.
>>> Are these available in some way?
>>
>>
>> The details you need are all here:
>>
>>  
>> <https://wiki.squid-cache.org/Features/AddonHelpers#SSL_server_certificate_validator>
>>
>> Notice that it receives chains of certificates - maybe several, and/or
>> out of order. Whatever the client sends.
>>
>>
>> Amos
>> _______________________________________________
>> squid-users mailing list
>> [hidden email]
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>> _______________________________________________
>> squid-users mailing list
>> [hidden email]
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: sslcrtvalidator_program

Alex Rousskov
On 1/18/21 11:53 AM, Eliezer Croitoru wrote:

> I have tried to read the documentation and to compose a single certificate validation "call" or "request".

> It would help a lot if a single verification request would be public and available to me and maybe others.

As I said, please feel free to add that example to the wiki. I do not
have one, but you should be able to collect a sample using strace or
helper debugging.


> The example shows:

> 0 cert_validate 1519 host=dmz.example-domain.com
> cert_0=-----BEGIN CERTIFICATE-----
> MIID+DCCA2GgAwIBAgIJAIDcHRUxB2O4MA0GCSqGSIb3DQEBBAUAMIGvMQswCQYD
> ...
> YpVJGt5CJuNfCcB/
> -----END CERTIFICATE-----
> error_name_0=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
> error_cert_0=cert0

> so where ix the 0x01 byte

I have not checked carefully, but I do not think the 0x01 delimiter is
used for certificate generation or validation requests. Their framing
should be size-based, not EOM-delimiter based -- it does not make sense
to use both at once! If you can confirm that suspicion, you should fix
Squid wiki accordingly.


> and where are the new lines?

Probably where you see them in the sample.


> Hope for a hint about the subject.

You should be able to collect it using strace or by adding debugging to
a test helper that simply prints everything it receives, using, say,
c-string escapes or URL encoding for any special character.


HTH,

Alex.



> -----Original Message-----
> From: Alex Rousskov <[hidden email]>
> Sent: Monday, December 14, 2020 9:05 PM
> To: [hidden email]
> Cc: Eliezer Croitor <[hidden email]>
> Subject: Re: [squid-users] sslcrtvalidator_program
>
> On 12/14/20 1:55 PM, Eliezer Croitor wrote:
>
>> We can use this as an example for a single transaction in the wiki:
>> https://gist.githubusercontent.com/elico/a0397c879776336eeae569317015edc1/raw/b34dff8ece76e480007a950655efff3564afcccc/cache.log
>
>> Let me know if it's enough to document this subject.
>
> I am not sure I understand your question -- the format is already
> documented. If you think that attaching an example of a raw helper
> request to that wiki page would help others, please feel free to do so!
> Just avoid the implication that all helper requests would have the same
> set of fields.
>
> Alex.
>
>
>> -----Original Message-----
>> From: Alex Rousskov <[hidden email]>
>> Sent: Monday, December 14, 2020 6:42 PM
>> To: [hidden email]
>> Cc: Eliezer Croitor <[hidden email]>
>> Subject: Re: [squid-users] sslcrtvalidator_program
>>
>> On 12/14/20 4:26 AM, Eliezer Croitor wrote:
>>> So starts with:
>>> 0 cert_validate... line
>>
>>> And ends with?:
>>> error_name_0=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
>>> error_cert_0=cert0
>>> ?
>>
>> No. The size of the key=value block is specified on the first request
>> line. Please try to follow documentation that Amos has pointed you to:
>> https://wiki.squid-cache.org/Features/AddonHelpers#SSL_server_certificate_validator
>>
>> If that documentation is missing some details, we should fix it.
>>
>>
>>
>>> I am unsure, let me try to re-read this section.
>>> I am missing a fake helper for this..
>>> And a "real world" full example.
>>
>>> Can someone simulate it for me?
>>
>> Glad you found
>> src/security/cert_validators/fake/security_fake_certverify.pl.in. I hope
>> it still works!
>>
>>
>> HTH,
>>
>> Alex.
>>
>>
>>> -----Original Message-----
>>> From: squid-users <[hidden email]> On Behalf Of Amos Jeffries
>>> Sent: Monday, December 14, 2020 10:15 AM
>>> To: [hidden email]
>>> Subject: Re: [squid-users] sslcrtvalidator_program
>>>
>>> On 14/12/20 9:11 am, Eliezer Croitor wrote:
>>>> I am trying to understand the way the sslcrtvalidator_program  works.
>>>> I am pretty sure I have asked this in the past but didn’t found it for some
>>>> reason.
>>>>
>>>> I want to read line by line so.
>>>> /^-----BEGIN CERTIFICATE-----$/
>>>> ***
>>>> /^-----END CERTIFICATE-----$/
>>>>
>>>> What else should I look for? I was thinking about validating with some extra
>>>> values in the request, for example ip/domain:port and sni.
>>>> Are these available in some way?
>>>
>>>
>>> The details you need are all here:
>>>
>>>  
>>> <https://wiki.squid-cache.org/Features/AddonHelpers#SSL_server_certificate_validator>
>>>
>>> Notice that it receives chains of certificates - maybe several, and/or
>>> out of order. Whatever the client sends.
>>>
>>>
>>> Amos
>>> _______________________________________________
>>> squid-users mailing list
>>> [hidden email]
>>> http://lists.squid-cache.org/listinfo/squid-users
>>>
>>> _______________________________________________
>>> squid-users mailing list
>>> [hidden email]
>>> http://lists.squid-cache.org/listinfo/squid-users
>>>
>>
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: sslcrtvalidator_program

Amos Jeffries
Administrator
In reply to this post by Eliezer Croitoru-3
On 19/01/21 5:53 am, Eliezer Croitoru wrote:

> Hey Alex,
>
> I have tried to read the documentation and to compose a single certificate validation "call" or "request".
> The issue with this is that I am unable to do that.
> It would help a lot if a single verification request would be public and available to me and maybe others.
> The example shows:
> 0 cert_validate 1519 host=dmz.example-domain.com
> cert_0=-----BEGIN CERTIFICATE-----
> MIID+DCCA2GgAwIBAgIJAIDcHRUxB2O4MA0GCSqGSIb3DQEBBAUAMIGvMQswCQYD
> ...
> YpVJGt5CJuNfCcB/
> -----END CERTIFICATE-----
> error_name_0=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
> error_cert_0=cert0
>
> so where ix the 0x01 byte and where are the new lines?


The \0x1 is the "logical line" terminator for the helper query. Which
means it goes last. \n are used by the PEM format for certificates.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users