ssl-bump causes squid service to shutdown

[fifthsegment]

I'm trying to perform MITM using Squid3 on Windows. Here's my ssl-bump line, which is copied from my working squid3 on ubuntu, I've just changed the cert path here:

http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/cygdrive/d/Squid/etc/ssl/cert.pem

If I remove the ssl-bump line (and everything related to it) the proxy starts working fine. Does anyone else face this issue too?

[ra-at-diladele-com]

Hello fifthsegment, what is in the squid log? Please post only relevant lines.

[fifthsegment]

Hi thanks for the fast response. My logs are both empty (access.log and cache.log) with the above configuration line.

However if i remove the ssl-bump line and replace it with http_port 3128, both of the log files get filled with logging info.

[ra-at-diladele-com]

ok then what is shown when the following command is run 'squid -k parse' ?

[fifthsegment]

I get a couple of Warnings and processing statements.

[ra-at-diladele-com]

Can you run it with problematic settings for http_port?

[fifthsegment]

Hold on, I think I ran without ssl-bump in the above screenshot. My bad, here's the actual output with ssl-bump. The last line says "No valid signing SSL certificate configured for HTTP_port" but this same certificate works fine on my Ubuntu 14.04 box with Squid3 MITM enabled.

[fifthsegment]

Thanks for that. I've fixed the cert file and squid now starts, but still I'm unable to browse using the proxy. Here's the cache.log:

2015/12/04 23:28:36 kid1| Set Current Directory to /var/cache/squid
2015/12/04 23:28:36 kid1| Starting Squid Cache version 3.5.11 for x86_64-unknown-cygwin...
2015/12/04 23:28:36 kid1| Service Name: squid
2015/12/04 23:28:36 kid1| Process ID 6848
2015/12/04 23:28:36 kid1| Process Roles: worker
2015/12/04 23:28:36 kid1| With 3200 file descriptors available
2015/12/04 23:28:36 kid1| Initializing IP Cache...
2015/12/04 23:28:36 kid1| parseEtcHosts: /etc/hosts: (2) No such file or directory
2015/12/04 23:28:36 kid1| DNS Socket created at [::], FD 5
2015/12/04 23:28:36 kid1| DNS Socket created at 0.0.0.0, FD 6
2015/12/04 23:28:36 kid1| Adding nameserver 8.8.8.8 from squid.conf
2015/12/04 23:28:36 kid1| Adding nameserver 208.67.222.222 from squid.conf
2015/12/04 23:28:36 kid1| /var/run/squid/lib/ssl_db: (2) No such file or directory
2015/12/04 23:28:36 kid1| helperOpenServers: Starting 5/32 'ssl_crtd.exe' processes
2015/12/04 23:28:36 kid1| WARNING: no_suid: setuid(0): (22) Invalid argument
(ssl_crtd.exe): Uninitialized SSL certificate database directory: /var/run/squid/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/run/squid/lib/ssl_db".
2015/12/04 23:28:36 kid1| WARNING: no_suid: setuid(0): (22) Invalid argument
2015/12/04 23:28:36 kid1| WARNING: no_suid: setuid(0): (22) Invalid argument
(ssl_crtd.exe): Uninitialized SSL certificate database directory: /var/run/squid/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/run/squid/lib/ssl_db".
2015/12/04 23:28:36 kid1| WARNING: no_suid: setuid(0): (22) Invalid argument
(ssl_crtd.exe): Uninitialized SSL certificate database directory: /var/run/squid/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/run/squid/lib/ssl_db".
2015/12/04 23:28:36 kid1| WARNING: no_suid: setuid(0): (22) Invalid argument
(ssl_crtd.exe): Uninitialized SSL certificate database directory: /var/run/squid/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/run/squid/lib/ssl_db".
2015/12/04 23:28:36 kid1| Logfile: opening log daemon:/var/log/squid/access.log
2015/12/04 23:28:36 kid1| Logfile Daemon: opening log /var/log/squid/access.log
(ssl_crtd.exe): Uninitialized SSL certificate database directory: /var/run/squid/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/run/squid/lib/ssl_db".
2015/12/04 23:28:36 kid1| WARNING: no_suid: setuid(0): (22) Invalid argument
2015/12/04 23:28:36 kid1| Store logging disabled
2015/12/04 23:28:36 kid1| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2015/12/04 23:28:36 kid1| Target number of buckets: 1008
2015/12/04 23:28:36 kid1| Using 8192 Store buckets
2015/12/04 23:28:36 kid1| Max Mem size: 262144 KB
2015/12/04 23:28:36 kid1| Max Swap size: 0 KB
2015/12/04 23:28:36 kid1| Using Least Load store dir selection
2015/12/04 23:28:36 kid1| Set Current Directory to /var/cache/squid
2015/12/04 23:28:36 kid1| Finished loading MIME types and icons.
2015/12/04 23:28:36 kid1| WARNING: No ssl_bump configured. Disabling ssl-bump on http_port [::]:3128
2015/12/04 23:28:36 kid1| HTCP Disabled.
2015/12/04 23:28:36 kid1| Squid plugin modules loaded: 0
2015/12/04 23:28:36 kid1| Adaptation support is on
2015/12/04 23:28:36 kid1| Accepting HTTP Socket connections at local=[::]:3128 remote=[::] FD 21 flags=9
2015/12/04 23:28:36 kid1| WARNING: ssl_crtd #Hlpr1 exited
2015/12/04 23:28:36 kid1| Too few ssl_crtd processes are running (need 1/32)
2015/12/04 23:28:36 kid1| Closing HTTP port [::]:3128
2015/12/04 23:28:36 kid1| storeDirWriteCleanLogs: Starting...
2015/12/04 23:28:36 kid1| Finished. Wrote 0 entries.
2015/12/04 23:28:36 kid1| Took 0.00 seconds ( 0.00 entries/sec).
FATAL: The ssl_crtd helpers are crashing too rapidly, need help!

[fifthsegment]

Turns out I had to initialize a SSL_db in D:/Squid/var/run/squid/lib/ssl_db, not in D:/Squid/var/run/squid/ssl_db, once I did, everything started working like a charm.

Thanks for the help :)

[wanggaolin]

I've come across this problem.
squid config:
http_port 3127
http_port 3128 transparent
https_port 3129 tproxy ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/data/ssl/migang.crt key=/data/ssl/migang.key
sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/lib/ssl_db

my error log:
2016/09/06 07:48:41| Starting Squid Cache version 3.3.14 for x86_64-unknown-linux-gnu...
2016/09/06 07:48:41| Process ID 6409
2016/09/06 07:48:41| Process Roles: master worker
2016/09/06 07:48:41| With 655360 file descriptors available
2016/09/06 07:48:41| Initializing IP Cache...
2016/09/06 07:48:41| DNS Socket created at [::], FD 5
2016/09/06 07:48:41| DNS Socket created at 0.0.0.0, FD 6
2016/09/06 07:48:41| Adding nameserver 172.16.1.6 from /etc/resolv.conf
2016/09/06 07:48:41| Adding nameserver 172.16.1.7 from /etc/resolv.conf
2016/09/06 07:48:41| helperOpenServers: Starting 5/32 'ssl_crtd' processes
2016/09/06 07:48:41| Logfile: opening log daemon:/usr/local/squid/var/logs/access.log
2016/09/06 07:48:41| Logfile Daemon: opening log /usr/local/squid/var/logs/access.log
2016/09/06 07:48:41| Store logging disabled
2016/09/06 07:48:41| Swap maxSize 2048000 + 262144 KB, estimated 177703 objects
2016/09/06 07:48:41| Target number of buckets: 8885
2016/09/06 07:48:41| Using 16384 Store buckets
2016/09/06 07:48:41| Max Mem size: 262144 KB
2016/09/06 07:48:41| Max Swap size: 2048000 KB
2016/09/06 07:48:41| Rebuilding storage in /data/cache (clean log)
2016/09/06 07:48:41| Using Least Load store dir selection
2016/09/06 07:48:41| Set Current Directory to /usr/local/squid/var/cache/squid
2016/09/06 07:48:41| Loaded Icons.
2016/09/06 07:48:41| HTCP Disabled.
2016/09/06 07:48:41| Squid plugin modules loaded: 0
2016/09/06 07:48:41| Adaptation support is off.
2016/09/06 07:48:41| Accepting HTTP Socket connections at local=[::]:3127 remote=[::] FD 21 flags=9
2016/09/06 07:48:41| Accepting NAT intercepted HTTP Socket connections at local=0.0.0.0:3128 remote=[::] FD 22 flags=41
2016/09/06 07:48:41| Accepting TPROXY spoofing SSL bumped HTTPS Socket connections at local=[::]:3129 remote=[::] FD 23 flags=25
2016/09/06 07:48:41| Done reading /data/cache swaplog (26 entries)
2016/09/06 07:48:41| Finished rebuilding storage from disk.
2016/09/06 07:48:41| 26 Entries scanned
2016/09/06 07:48:41| 0 Invalid entries.
2016/09/06 07:48:41| 0 With invalid flags.
2016/09/06 07:48:41| 26 Objects loaded.
2016/09/06 07:48:41| 0 Objects expired.
2016/09/06 07:48:41| 0 Objects cancelled.
2016/09/06 07:48:41| 0 Duplicate URLs purged.
2016/09/06 07:48:41| 0 Swapfile clashes avoided.
2016/09/06 07:48:41| Took 0.03 seconds (745.43 objects/sec).
2016/09/06 07:48:41| Beginning Validation Procedure
2016/09/06 07:48:41| Completed Validation Procedure
2016/09/06 07:48:41| Validated 26 Entries
2016/09/06 07:48:41| store_swap_size = 7636.00 KB
2016/09/06 07:48:41| WARNING: ssl_crtd #1 exited
2016/09/06 07:48:41| Too few ssl_crtd processes are running (need 1/32)
2016/09/06 07:48:41| Closing HTTP port [::]:3127
2016/09/06 07:48:41| Closing HTTP port 0.0.0.0:3128
2016/09/06 07:48:41| Closing HTTPS port [::]:3129
2016/09/06 07:48:41| storeDirWriteCleanLogs: Starting...
2016/09/06 07:48:41| Finished. Wrote 26 entries.
2016/09/06 07:48:41| Took 0.00 seconds (22787.03 entries/sec).
FATAL: The ssl_crtd helpers are crashing too rapidly, need help!

do you help me?

[ra-at-diladele-com]

Hello wanggaolin,

Sorry we only build squid binaries and make MSI out of it. I vaguely remember there is a bug in cygwin that somehow prevents any squid external helper from functioning properly. See nodejs/node-v0.x-archive#6459

I am not sure what can be done.

[ea-at-diladele-com]

How to enable HTTPS description on Windows is described in the following tutorial
https://docs.diladele.com/faq/squid/sslbump_squid_windows.html