From cfd5b4ea97b817685d4f64cb2ca1b0fa1313ba86 Mon Sep 17 00:00:00 2001 From: Marcello Coutinho Date: Thu, 16 May 2013 18:38:21 -0300 Subject: squid3-dev - change ssl filtering cert combo from server-cert to ca-cert --- config/squid3/33/squid.inc | 11 +++++++---- config/squid3/33/squid.xml | 11 ++++++----- 2 files changed, 13 insertions(+), 9 deletions(-) (limited to 'config/squid3') diff --git a/config/squid3/33/squid.inc b/config/squid3/33/squid.inc index 89a11961..8eb9f2fa 100755 --- a/config/squid3/33/squid.inc +++ b/config/squid3/33/squid.inc @@ -824,7 +824,7 @@ function squid_resync_general() { #Check ssl interception if (($settings['ssl_proxy'] == 'on')) { squid_check_ca_hashes(); - $srv_cert = lookup_cert($settings["dcert"]); + $srv_cert = lookup_ca($settings["dca"]); if ($srv_cert != false) { if(base64_decode($srv_cert['prv'])) { #check if ssl_db was initilized by squid @@ -836,13 +836,15 @@ function squid_resync_general() { } #force squid user permission on /var/squid/lib/ssl_db/ squid_chown_recursive("/var/squid/lib/ssl_db/", 'proxy', 'proxy'); + # cert, key, version, cipher,options, clientca, cafile, capath, crlfile, dhparams,sslflags, and sslcontext $crt_pk=SQUID_CONFBASE."/serverkey.pem"; + $crt_capath=SQUID_LOCALBASE."/share/certs/"; file_put_contents($crt_pk,base64_decode($srv_cert['prv']).base64_decode($srv_cert['crt'])); $sslcrtd_children= ($settings['sslcrtd_children'] ? $settings['sslcrtd_children'] : 5); - $ssl_interception.="ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=".($sslcrtd_children*2)."MB cert={$crt_pk}\n"; + $ssl_interception.="ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=".($sslcrtd_children*2)."MB cert={$crt_pk} capath={$crt_capath}\n"; $interception_checks = "sslcrtd_program ".SQUID_LOCALBASE."/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048\n"; $interception_checks .= "sslcrtd_children {$sslcrtd_children}\n"; - $interception_checks .= 'sslproxy_capath '.SQUID_LOCALBASE.'/share/certs'."\n"; + $interception_checks .= "sslproxy_capath {$crt_capath}\n"; if (preg_match("/sslproxy_cert_error/",$settings["interception_checks"])) $interception_checks.="sslproxy_cert_error allow all\n"; if (preg_match("/sslproxy_flags/",$settings["interception_checks"])) @@ -1087,9 +1089,10 @@ EOC; } If ($settings['custom_refresh_patterns'] !="") - $conf .= sq_text_area_decode($settings['custom_refresh_patterns']); + $conf .= sq_text_area_decode($settings['custom_refresh_patterns'])."\n"; $conf .= <<< EOD + cache_mem $memory_cache_size MB maximum_object_size_in_memory {$max_objsize_in_mem} KB memory_replacement_policy {$memory_policy} diff --git a/config/squid3/33/squid.xml b/config/squid3/33/squid.xml index dbaf0895..d64aabb9 100644 --- a/config/squid3/33/squid.xml +++ b/config/squid3/33/squid.xml @@ -370,12 +370,13 @@ 3129 - Cert - dcert - - To create a Certificate on pfsense, go to system -> Cert Manager]]> + CA + dca + + To create a CA on pfsense, go to system -> Cert Manager
+ Install the CA crt as an trusted ca on each computer you want to filter ssl to avoid ssl error on each connection.]]> select_source - + descr refid -- cgit v1.2.3