I am using the sslBump and Dynamic SSL Certificate Generation features of squid, below is my configuration for the sslBump
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /usr/local/squid/var/lib/ssl_db -M 4MB
sslcrtd_children 5sslproxy_cert_error allow all
always_direct allow all
ssl_bump client-first all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl/myCA.pem
I am facing below error when i start the squid.
squid -d 23
2014/08/29 16:55:59 kid1| Set Current Directory to /var/cache/squid 2014/08/29 16:55:59 kid1| Starting Squid Cache version 3.4.4.2 for x86_64-redhat-linux-gnu... 2014/08/29 16:55:59 kid1| Process ID 32150 2014/08/29 16:55:59 kid1| Process Roles: worker 2014/08/29 16:55:59 kid1| With 1024 file descriptors available 2014/08/29 16:55:59 kid1| Initializing IP Cache... 2014/08/29 16:55:59 kid1| DNS Socket created at [::], FD 7 2014/08/29 16:55:59 kid1| DNS Socket created at 0.0.0.0, FD 8 2014/08/29 16:55:59 kid1| Adding domain elitecore.co.in from /etc/resolv.conf 2014/08/29 16:55:59 kid1| Adding domain elitecore.co.in from /etc/resolv.conf 2014/08/29 16:55:59 kid1| Adding nameserver 203.88.135.194 from /etc/resolv.conf 2014/08/29 16:55:59 kid1| Adding nameserver 4.2.2.2 from /etc/resolv.conf 2014/08/29 16:55:59 kid1| helperOpenServers: Starting 5/5 'ssl_crtd' processes 2014/08/29 16:55:59.339 kid1| ErrorDetailManager.cc(254) parse: Remain size: 72 Content: name: X509_V_ERR_AKID_SKID_MISMATCH detail: "%ssl_error_descr: %ssl_subj 2014/08/29 16:55:59.341 kid1| ErrorDetailManager.cc(254) parse: Remain size: 125 Content: name: X509_V_ERR_APPLICATION_VERIFICATION detail: "%ssl_error_descr: %ssl_subject" descr: "Application verification failure" 2014/08/29 16:55:59.341 kid1| ErrorDetailManager.cc(254) parse: Remain size: 0 Content: 2014/08/29 16:55:59.341 kid1| Logfile: opening log daemon:/var/log/squid/access.log 2014/08/29 16:55:59.341 kid1| Logfile Daemon: opening log /var/log/squid/access.log 2014/08/29 16:55:59.341 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec 2014/08/29 16:55:59.341 kid1| Store logging disabled 2014/08/29 16:55:59.341 kid1| Swap maxSize 0 + 262144 KB, estimated 20164 objects 2014/08/29 16:55:59.341 kid1| Target number of buckets: 1008 2014/08/29 16:55:59.341 kid1| Using 8192 Store buckets 2014/08/29 16:55:59.341 kid1| Max Mem size: 262144 KB 2014/08/29 16:55:59.341 kid1| Max Swap size: 0 KB 2014/08/29 16:55:59.341 kid1| Using Least Load store dir selection 2014/08/29 16:55:59.341 kid1| Set Current Directory to /var/cache/squid k kill2014/08/29 16:55:59.341 kid1| Finished loading MIME types and icons. 2014/08/29 16:55:59.427 kid1| AsyncCall.cc(18) AsyncCall: The AsyncCall clientListenerConnectionOpened constructed, this=0x7ff9b784a900 [call18] 2014/08/29 16:55:59.427 kid1| AsyncCall.cc(85) ScheduleCall: StartListening.cc(56) will call clientListenerConnectionOpened(local=[::]:3128 remote=[::] FD 21 flags=9, err=0, HTTP Socket port=0x7ff9b727c528) [call18] 2014/08/29 16:55:59.427 kid1| HTCP Disabled. 2014/08/29 16:55:59.427 kid1| Squid plugin modules loaded: 0 2014/08/29 16:55:59.427 kid1| Adaptation support is off. 2014/08/29 16:55:59.428 kid1| AsyncCallQueue.cc(51) fireNext: entering clientListenerConnectionOpened(local=[::]:3128 remote=[::] FD 21 flags=9, err=0, HTTP Socket port=0x7ff9b727c528) 2014/08/29 16:55:59.428 kid1| AsyncCall.cc(30) make: make call clientListenerConnectionOpened [call18] 2014/08/29 16:55:59.428 kid1| Accepting SSL bumped HTTP Socket connections at local=[::]:3128 remote=[::] FD 21 flags=9 2014/08/29 16:55:59.429 kid1| AsyncCallQueue.cc(53) fireNext: leaving clientListenerConnectionOpened(local=[::]:3128 remote=[::] FD 21 flags=9, err=0, HTTP Socket port=0x7ff9b727c528) 2014/08/29 16:55:59.429 kid1| WARNING: ssl_crtd #Hlpr0 exited 2014/08/29 16:55:59.429 kid1| Too few ssl_crtd processes are running (need 1/5) 2014/08/29 16:55:59.429 kid1| Closing HTTP port [::]:3128 2014/08/29 16:55:59.429 kid1| storeDirWriteCleanLogs: Starting... 2014/08/29 16:55:59.429 kid1| Finished. Wrote 0 entries. 2014/08/29 16:55:59.429 kid1| Took 0.00 seconds ( 0.00 entries/sec). FATAL: The ssl_crtd helpers are crashing too rapidly, need help! 2014/08/29 16:55:59.429 kid1| helper.cc(625) helperShutdown: helperShutdown: ssl_crtd #Hlpr0 is CLOSING. 2014/08/29 16:55:59.429 kid1| helper.cc(625) helperShutdown: helperShutdown: ssl_crtd #Hlpr0 is CLOSING. 2014/08/29 16:55:59.429 kid1| helper.cc(625) helperShutdown: helperShutdown: ssl_crtd #Hlpr0 is CLOSING. 2014/08/29 16:55:59.429 kid1| helper.cc(625) helperShutdown: helperShutdown: ssl_crtd #Hlpr0 is CLOSING.
Is there is any configuration change or work around to resolved this error? Tested with RHEL 6.4 and Fedora 18 with squid 3.2.3, 3.4.4, 3.3.1
Best Answer
This can be caused by an unitialized
ssl_db
insquid
which can be created with:& set in
/etc/squid/squid.conf
depending on how your
squid
was built you may also be able to usesecurity_file_certgen
see also Squid docs for Dynamic SSL Certificate Generation