aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMarcello Coutinho <marcellocoutinho@gmail.com>2013-05-16 18:38:21 -0300
committerMarcello Coutinho <marcellocoutinho@gmail.com>2013-05-16 18:38:21 -0300
commitcfd5b4ea97b817685d4f64cb2ca1b0fa1313ba86 (patch)
tree572ef24811ca36db378943c77e6b661e3dd0de74
parent60b11790e713d6b110c662bcd6f864a4e51a0ff4 (diff)
downloadpfsense-packages-cfd5b4ea97b817685d4f64cb2ca1b0fa1313ba86.tar.gz
pfsense-packages-cfd5b4ea97b817685d4f64cb2ca1b0fa1313ba86.tar.bz2
pfsense-packages-cfd5b4ea97b817685d4f64cb2ca1b0fa1313ba86.zip
squid3-dev - change ssl filtering cert combo from server-cert to ca-cert
-rwxr-xr-xconfig/squid3/33/squid.inc11
-rw-r--r--config/squid3/33/squid.xml11
-rw-r--r--pkg_config.8.xml2
-rw-r--r--pkg_config.8.xml.amd642
4 files changed, 15 insertions, 11 deletions
diff --git a/config/squid3/33/squid.inc b/config/squid3/33/squid.inc
index 89a11961..8eb9f2fa 100755
--- a/config/squid3/33/squid.inc
+++ b/config/squid3/33/squid.inc
@@ -824,7 +824,7 @@ function squid_resync_general() {
#Check ssl interception
if (($settings['ssl_proxy'] == 'on')) {
squid_check_ca_hashes();
- $srv_cert = lookup_cert($settings["dcert"]);
+ $srv_cert = lookup_ca($settings["dca"]);
if ($srv_cert != false) {
if(base64_decode($srv_cert['prv'])) {
#check if ssl_db was initilized by squid
@@ -836,13 +836,15 @@ function squid_resync_general() {
}
#force squid user permission on /var/squid/lib/ssl_db/
squid_chown_recursive("/var/squid/lib/ssl_db/", 'proxy', 'proxy');
+ # cert, key, version, cipher,options, clientca, cafile, capath, crlfile, dhparams,sslflags, and sslcontext
$crt_pk=SQUID_CONFBASE."/serverkey.pem";
+ $crt_capath=SQUID_LOCALBASE."/share/certs/";
file_put_contents($crt_pk,base64_decode($srv_cert['prv']).base64_decode($srv_cert['crt']));
$sslcrtd_children= ($settings['sslcrtd_children'] ? $settings['sslcrtd_children'] : 5);
- $ssl_interception.="ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=".($sslcrtd_children*2)."MB cert={$crt_pk}\n";
+ $ssl_interception.="ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=".($sslcrtd_children*2)."MB cert={$crt_pk} capath={$crt_capath}\n";
$interception_checks = "sslcrtd_program ".SQUID_LOCALBASE."/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048\n";
$interception_checks .= "sslcrtd_children {$sslcrtd_children}\n";
- $interception_checks .= 'sslproxy_capath '.SQUID_LOCALBASE.'/share/certs'."\n";
+ $interception_checks .= "sslproxy_capath {$crt_capath}\n";
if (preg_match("/sslproxy_cert_error/",$settings["interception_checks"]))
$interception_checks.="sslproxy_cert_error allow all\n";
if (preg_match("/sslproxy_flags/",$settings["interception_checks"]))
@@ -1087,9 +1089,10 @@ EOC;
}
If ($settings['custom_refresh_patterns'] !="")
- $conf .= sq_text_area_decode($settings['custom_refresh_patterns']);
+ $conf .= sq_text_area_decode($settings['custom_refresh_patterns'])."\n";
$conf .= <<< EOD
+
cache_mem $memory_cache_size MB
maximum_object_size_in_memory {$max_objsize_in_mem} KB
memory_replacement_policy {$memory_policy}
diff --git a/config/squid3/33/squid.xml b/config/squid3/33/squid.xml
index dbaf0895..d64aabb9 100644
--- a/config/squid3/33/squid.xml
+++ b/config/squid3/33/squid.xml
@@ -370,12 +370,13 @@
<default_value>3129</default_value>
</field>
<field>
- <fielddescr>Cert</fielddescr>
- <fieldname>dcert</fieldname>
- <description><![CDATA[Select Certificate to use in SSL interception<br>
- To create a Certificate on pfsense, go to <strong>system -> Cert Manager<strong>]]></description>
+ <fielddescr>CA</fielddescr>
+ <fieldname>dca</fieldname>
+ <description><![CDATA[Select Certificate Authority to use when SSL interception is enabled.<br>
+ To create a CA on pfsense, go to <strong>system -> Cert Manager<strong><br>
+ Install the CA crt as an trusted ca on each computer you want to filter ssl to avoid ssl error on each connection.]]></description>
<type>select_source</type>
- <source><![CDATA[$config['cert']]]></source>
+ <source><![CDATA[$config['ca']]]></source>
<source_name>descr</source_name>
<source_value>refid</source_value>
</field>
diff --git a/pkg_config.8.xml b/pkg_config.8.xml
index e610743f..44c10176 100644
--- a/pkg_config.8.xml
+++ b/pkg_config.8.xml
@@ -1272,7 +1272,7 @@
<pkginfolink>http://forum.pfsense.org/index.php/topic,48347.0.html</pkginfolink>
<website>http://www.squid-cache.org/</website>
<category>Network</category>
- <version>3.3.4 pkg 2.1.1</version>
+ <version>3.3.4 pkg 2.1.2</version>
<status>beta</status>
<required_version>2.0</required_version>
<maintainer>marcellocoutinho@gmail.com fernando@netfilter.com.br seth.mos@dds.nl mfuchs77@googlemail.com jimp@pfsense.org</maintainer>
diff --git a/pkg_config.8.xml.amd64 b/pkg_config.8.xml.amd64
index b07e1358..471bd094 100644
--- a/pkg_config.8.xml.amd64
+++ b/pkg_config.8.xml.amd64
@@ -1259,7 +1259,7 @@
<pkginfolink>http://forum.pfsense.org/index.php/topic,48347.0.html</pkginfolink>
<website>http://www.squid-cache.org/</website>
<category>Network</category>
- <version>3.3.4 pkg 2.1.1</version>
+ <version>3.3.4 pkg 2.1.2</version>
<status>beta</status>
<required_version>2.0</required_version>
<maintainer>marcellocoutinho@gmail.com fernando@netfilter.com.br seth.mos@dds.nl mfuchs77@googlemail.com jimp@pfsense.org</maintainer>