Re: [squid-users] Squid 3.2 - Dynamic SSL certs that aren't self-signed

From: Alex Ray <alexray_at_espsolution.net>
Date: Thu, 23 Dec 2010 13:56:49 -0800

2010/12/23 Henrik Nordström <henrik_at_henriknordstrom.net>:
> tor 2010-12-23 klockan 11:52 -0800 skrev Alex Ray:
>> I've written an ad-hoc bash script, ssl_srtd_ca, that acts like the
>> following, but doesn't work when dropped-in.  Is there some sort of
>> spec on how ssl_crtd communicates?
>
> src/ssl/ssl_crtd.cc is the closest to a spec I think.
>
> why did you need to write another helper? You can specify a signing CA
> by using the cert= and key= options to http_port in combination with
> generate-host-certificates.
>
> Regards
> Henrik
>
>

When I specify cert and key, then the cert that gets passed doesn't
match the website being loaded. If I do it like this, I end up with
merely self-signed certificates and not certificates signed by my CA:

http_port 3128 ssl-bump generate-host-certificates=on
cert=/etc/ssl/ca/cacert.pem key=/etc/ssl/ca/private/cakey.pem

(it prompts for my password and such, so it is reading those pem's correctly).

Right now my ssl_crtd_ca does indeed generate the correct
key/certificate, signed by my CA and matching the website being
loaded, but it doesn't work dynamically. What it prints off can be
copied into PEMs and loaded manually and then the site in question
works, but it complains about

2010/12/23 13:54:55 kid1| Closing SSL FD 10 as lacking SSL context

in the cache.log, and in a browser bounces between Looking Up and Waiting For.
Received on Thu Dec 23 2010 - 21:56:56 MST

This archive was generated by hypermail 2.2.0 : Fri Dec 24 2010 - 12:00:03 MST