diff options
author | Marcello Coutinho <marcellocoutinho@gmail.com> | 2013-05-16 18:38:21 -0300 |
---|---|---|
committer | Marcello Coutinho <marcellocoutinho@gmail.com> | 2013-05-16 18:38:21 -0300 |
commit | cfd5b4ea97b817685d4f64cb2ca1b0fa1313ba86 (patch) | |
tree | 572ef24811ca36db378943c77e6b661e3dd0de74 /config | |
parent | 60b11790e713d6b110c662bcd6f864a4e51a0ff4 (diff) | |
download | pfsense-packages-cfd5b4ea97b817685d4f64cb2ca1b0fa1313ba86.tar.gz pfsense-packages-cfd5b4ea97b817685d4f64cb2ca1b0fa1313ba86.tar.bz2 pfsense-packages-cfd5b4ea97b817685d4f64cb2ca1b0fa1313ba86.zip |
squid3-dev - change ssl filtering cert combo from server-cert to ca-cert
Diffstat (limited to 'config')
-rwxr-xr-x | config/squid3/33/squid.inc | 11 | ||||
-rw-r--r-- | config/squid3/33/squid.xml | 11 |
2 files changed, 13 insertions, 9 deletions
diff --git a/config/squid3/33/squid.inc b/config/squid3/33/squid.inc index 89a11961..8eb9f2fa 100755 --- a/config/squid3/33/squid.inc +++ b/config/squid3/33/squid.inc @@ -824,7 +824,7 @@ function squid_resync_general() { #Check ssl interception if (($settings['ssl_proxy'] == 'on')) { squid_check_ca_hashes(); - $srv_cert = lookup_cert($settings["dcert"]); + $srv_cert = lookup_ca($settings["dca"]); if ($srv_cert != false) { if(base64_decode($srv_cert['prv'])) { #check if ssl_db was initilized by squid @@ -836,13 +836,15 @@ function squid_resync_general() { } #force squid user permission on /var/squid/lib/ssl_db/ squid_chown_recursive("/var/squid/lib/ssl_db/", 'proxy', 'proxy'); + # cert, key, version, cipher,options, clientca, cafile, capath, crlfile, dhparams,sslflags, and sslcontext $crt_pk=SQUID_CONFBASE."/serverkey.pem"; + $crt_capath=SQUID_LOCALBASE."/share/certs/"; file_put_contents($crt_pk,base64_decode($srv_cert['prv']).base64_decode($srv_cert['crt'])); $sslcrtd_children= ($settings['sslcrtd_children'] ? $settings['sslcrtd_children'] : 5); - $ssl_interception.="ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=".($sslcrtd_children*2)."MB cert={$crt_pk}\n"; + $ssl_interception.="ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=".($sslcrtd_children*2)."MB cert={$crt_pk} capath={$crt_capath}\n"; $interception_checks = "sslcrtd_program ".SQUID_LOCALBASE."/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048\n"; $interception_checks .= "sslcrtd_children {$sslcrtd_children}\n"; - $interception_checks .= 'sslproxy_capath '.SQUID_LOCALBASE.'/share/certs'."\n"; + $interception_checks .= "sslproxy_capath {$crt_capath}\n"; if (preg_match("/sslproxy_cert_error/",$settings["interception_checks"])) $interception_checks.="sslproxy_cert_error allow all\n"; if (preg_match("/sslproxy_flags/",$settings["interception_checks"])) @@ -1087,9 +1089,10 @@ EOC; } If ($settings['custom_refresh_patterns'] !="") - $conf .= sq_text_area_decode($settings['custom_refresh_patterns']); + $conf .= sq_text_area_decode($settings['custom_refresh_patterns'])."\n"; $conf .= <<< EOD + cache_mem $memory_cache_size MB maximum_object_size_in_memory {$max_objsize_in_mem} KB memory_replacement_policy {$memory_policy} diff --git a/config/squid3/33/squid.xml b/config/squid3/33/squid.xml index dbaf0895..d64aabb9 100644 --- a/config/squid3/33/squid.xml +++ b/config/squid3/33/squid.xml @@ -370,12 +370,13 @@ <default_value>3129</default_value> </field> <field> - <fielddescr>Cert</fielddescr> - <fieldname>dcert</fieldname> - <description><![CDATA[Select Certificate to use in SSL interception<br> - To create a Certificate on pfsense, go to <strong>system -> Cert Manager<strong>]]></description> + <fielddescr>CA</fielddescr> + <fieldname>dca</fieldname> + <description><![CDATA[Select Certificate Authority to use when SSL interception is enabled.<br> + To create a CA on pfsense, go to <strong>system -> Cert Manager<strong><br> + Install the CA crt as an trusted ca on each computer you want to filter ssl to avoid ssl error on each connection.]]></description> <type>select_source</type> - <source><![CDATA[$config['cert']]]></source> + <source><![CDATA[$config['ca']]]></source> <source_name>descr</source_name> <source_value>refid</source_value> </field> |