Bug #7871
closedAdd squid validation for selected CA when MITM is enabled
0%
Description
Obviously, this needs to be a CA we have a private key to so that it can issue certificates on the fly to prevent PEBKAC cases such as [1]. The current validation does not check this. [2]
Jim Pingle: Any chance you can hack a quick check for this? Otherwise please re-assign to myself and I'll dig into the certs.inc later, not exactly something I'd be familiar with. The other relevant code is here [3] - so it basically adds the required bits to squid.conf if we can get the private key, if not, it results in broken config as in [1]. I guess there's no need to touch that once the validation is in place though.
[1] https://forum.pfsense.org/index.php?topic=136450.0
[2] https://github.com/pfsense/FreeBSD-ports/blob/devel/www/pfSense-pkg-squid/files/usr/local/pkg/squid.inc#L808
[3] https://github.com/pfsense/FreeBSD-ports/blob/devel/www/pfSense-pkg-squid/files/usr/local/pkg/squid.inc#L1124
Updated by Kill Bill over 6 years ago
P.S. There's https://github.com/pfsense/FreeBSD-ports/pull/402 that's been sitting there for about a month, would be nice to get both done at the same time.
Updated by Jim Pingle over 6 years ago
- Status changed from New to Feedback
- Target version deleted (
2.4.1)
OK I added two different sets of protection:
1. Input validation to warn if a user selected a CA without a private key
2. I changed it so the CA list does not include entries without a private key
I added #1 in case somehow the user manages to submit the form with an old/invalid setting, but really #2 should make #1 unnecessary. Since it impacts squid so severely, I felt both were warranted.
Removing target version since this is a package and not tied to a specific release.
Updated by Kill Bill over 6 years ago
Looks good here, only usable CAs are being offered in the Squid GUI with 0.4.42. Thanks!
Updated by Jim Pingle over 6 years ago
- Status changed from Feedback to Resolved
Great, thanks for testing!