Squid add missing (ca) certificates



  • Hello!

    in pfSense 2.4.2 is there an /official/ way to easily add certificates to the trusted CA store for squid? As far as I can tell from looking to the squid.conf it seems squid uses the system's (openssl's) certificate chain. So far so good but there are (a lot) situations where the adminstrator might want to trust additional (ca) certificates. Other web filtering products allow to add those certificates to the configuration. As far as I can tell there is nothing like this in pfSense (yet) right?

    Example host which is not working (due to poor config of the server but anyway adding the intermediate cert would be a valid workaround): https://wiki.squid-cache.org

    Another use case: an administrator would like to allow access to a page which present's a self signed cert. Or the administrator would like to allow to trust the CA of third party like a partnering company.

    Is there anything planned according to this?

    thank you in advance



  • proposed workaround (works for me):

    (create a dir /usr/local/extra/certs/, put cert files there) (I put any addition into /usr/local/extra)
    certinstall script (which should be run e.g. on startup or manually:

    This can easily be integrated into the squid package (and the certs could be entered via the web interface)

    #!/usr/local/bin/php-cgi -f
            $CERTBASE = "/usr/local/extra/certs/";
            $CERTSTORE = "/usr/local/share/certs/";
            $cafiles = glob($CERTBASE."*.{pem,crt}", GLOB_BRACE);
            foreach ($cafiles as $cafile)
            {
                    $cas = file($cafile);
                    $cert = 0;
                    foreach ($cas as $ca) {
                                    if (preg_match("/–BEGIN CERTIFICATE--/", $ca)) {
                                                    $cert = 1;
                                    }
                                    if ($cert == 1) {
                                                    $crt .= $ca;
                                    }
                                    if (preg_match("/-END CERTIFICATE-/", $ca)) {
                                                    file_put_contents("/tmp/cert.pem", $crt, LOCK_EX);
                                                    $cert_hash = array();
                                                    exec("/usr/bin/openssl x509 -hash -noout -in /tmp/cert.pem", $cert_hash);
                                                    if (! file_exists ($CERTSTORE . $cert_hash[0] . ".0"))
                                                    {
                                                            file_put_contents($CERTSTORE . $cert_hash[0] . ".0", $crt, LOCK_EX);
                                                    }
                                                    $crt = "";
                                                    $cert = 0;
                                    }
                    }
            }
            unlink("/tmp/cert.pem");
    ?>


Log in to reply