Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid add missing (ca) certificates

    Scheduled Pinned Locked Moved Cache/Proxy
    2 Posts 1 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      zacha
      last edited by

      Hello!

      in pfSense 2.4.2 is there an /official/ way to easily add certificates to the trusted CA store for squid? As far as I can tell from looking to the squid.conf it seems squid uses the system's (openssl's) certificate chain. So far so good but there are (a lot) situations where the adminstrator might want to trust additional (ca) certificates. Other web filtering products allow to add those certificates to the configuration. As far as I can tell there is nothing like this in pfSense (yet) right?

      Example host which is not working (due to poor config of the server but anyway adding the intermediate cert would be a valid workaround): https://wiki.squid-cache.org

      Another use case: an administrator would like to allow access to a page which present's a self signed cert. Or the administrator would like to allow to trust the CA of third party like a partnering company.

      Is there anything planned according to this?

      thank you in advance

      1 Reply Last reply Reply Quote 0
      • Z
        zacha
        last edited by

        proposed workaround (works for me):

        (create a dir /usr/local/extra/certs/, put cert files there) (I put any addition into /usr/local/extra)
        certinstall script (which should be run e.g. on startup or manually:

        This can easily be integrated into the squid package (and the certs could be entered via the web interface)

        #!/usr/local/bin/php-cgi -f
                $CERTBASE = "/usr/local/extra/certs/";
                $CERTSTORE = "/usr/local/share/certs/";
                $cafiles = glob($CERTBASE."*.{pem,crt}", GLOB_BRACE);
                foreach ($cafiles as $cafile)
                {
                        $cas = file($cafile);
                        $cert = 0;
                        foreach ($cas as $ca) {
                                        if (preg_match("/–BEGIN CERTIFICATE--/", $ca)) {
                                                        $cert = 1;
                                        }
                                        if ($cert == 1) {
                                                        $crt .= $ca;
                                        }
                                        if (preg_match("/-END CERTIFICATE-/", $ca)) {
                                                        file_put_contents("/tmp/cert.pem", $crt, LOCK_EX);
                                                        $cert_hash = array();
                                                        exec("/usr/bin/openssl x509 -hash -noout -in /tmp/cert.pem", $cert_hash);
                                                        if (! file_exists ($CERTSTORE . $cert_hash[0] . ".0"))
                                                        {
                                                                file_put_contents($CERTSTORE . $cert_hash[0] . ".0", $crt, LOCK_EX);
                                                        }
                                                        $crt = "";
                                                        $cert = 0;
                                        }
                        }
                }
                unlink("/tmp/cert.pem");
        ?>

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.