Re: [squid-users] https_port + ssl-bump + ipv6 from Lo�c Blot on 2013-09-11 (squid-users)

From: Lo�c Blot <loic.blot_at_unix-experience.fr>
Date: Wed, 11 Sep 2013 09:44:29 +0200

Hello Amos,
thanks for your reply but it doesn't work.

I have there configuration lines:

https_port [::]:3130 intercept ssl-bump
cert=/etc/ssl/wildcard-proxies.crt key=/etc/ssl/wildcard-proxies.key
https_port 0.0.0.0:3130 intercept ssl-bump
cert=/etc/ssl/wildcard-proxies.crt key=/etc/ssl/wildcard-proxies.key

Squid starts only if they are both commented. I tries to use it
together, IPv4 only and IPv6 only. I always have the following error,
also when i tried in IPv6 only:

FATAL: No valid signing SSL certificate configured for https_port
0.0.0.0:3130

Another issue with those lines:

http_port 3128
http_port 0.0.0.0:3129 intercept
http_port [::]:3129 intercept

port 3128 is opened both IPv4 and IPv6
port 3129 is opened in IPv4 only

It seems there is a problem with intercept and IPv6

-- 
Best regards, 
Loïc BLOT, Engineering
UNIX Systems, Security and Networks
http://www.unix-experience.fr
Le mercredi 11 septembre 2013 à 14:02 +1200, Amos Jeffries a écrit :
> On 10/09/2013 8:13 p.m., Loïc Blot wrote:
> > Hello all,
> > i don't know if it's a bug, but there is a strange issue with https_port
> > when ipv6 is enabled.
> >
> > I have 4 squid 3.3.8 proxies (on OpenBSD 5.2). 2 on IPv4 only and 2 with
> > both IPv4 and IPv6.
> >
> > On IPv4 only this configuration line works (--disable-ipv6 option
> > enabled):
> >
> > https_port 3130 intercept ssl-bump cert=/etc/ssl/wildcard-proxies.crt
> > key=/etc/ssl/wildcard-proxies.key
> >
> > On IPv4 and IPv6 squid proxies, squid doesn't accept the certificates:
> > FATAL: No valid signing SSL certificate configured for https_port
> > 0.0.0.0:3130
> >
> > I haven't found solutions on the web. Any idea ?
> 
> OpenBSD uses what is known as a "split" TCP stack, where IPv4 and IPv6 
> require two sockets opened. Squid automatically separates the wildcard 
> ports configured but the SSL certificates details are not cloned during 
> that split.
> 
> Until that is fixed you will have to configure the IPv4 and IPv6 versios 
> of the port separately like this:
> 
>    http_port 0.0.0.0:3130 ...
>    http_port [::]:3130 ...
> 
> Amos

Received on Wed Sep 11 2013 - 07:44:47 MDT

This archive was generated by hypermail 2.2.0 : Wed Sep 11 2013 - 12:00:04 MDT