RE: [squid-users] SSLBump and intermedia CA Certificate.

I am also interested in understanding the issue.

Can squid send the certificate chain as a part of the negotiation? Apache is able to do that, so I think the underlining openssl is not the problem. This may require new configure option in the ssl_bump to tell squid where the certificate chain file is.

Ming


> -----Original Message-----
> From: Lindsay Hill [mailto:lindsayh_at_makonetworks.com]
> Sent: Tuesday, June 07, 2011 11:31 PM
> To: squid-users_at_squid-cache.org
> Subject: Re: [squid-users] SSLBump and intermedia CA Certificate.
>
> On 06/08/2011 02:52 PM, Amos Jeffries wrote:
> > On Tue, 07 Jun 2011 11:54:52 +0200, Paweł Mojski wrote:
> >> Hi all.
> >>
> >> Finally I successful implemented ssl-bump with dynamic certificate
> >> generation feature.
> >> But, I don't know how to configure squid to use intermediate ca
> >> certificate.
> >> I generated Root CA, then using Root CA i signed Intermediate CA
> >> certificate and now, I want squid to use this Intermediate CA
> >> Certificate while generating certs for https connections.
> >> Then I want to import Root CA certificate into Windows PKI to solve
> >> "Unknown CA" error while surfing https pages.
> >> How can I do that?
> >
> > The client must have a full chain of trust from the root all the way
> > down to the end certificate during the transactions. I think you may
> > find that signing with an intermediate CA needs to install both the
> > root and the intermediate public CA on the clients.
> >
> >
> >> I'm looking around cafile, capath of ssl-bump options but nothing
> >> works for me.
> >
> > http://wiki.squid-cache.org/Features/SslBump
> >
> > To squid there is only the cert PEM you told it to sign with.
> >
> > Amos
> >
>
> This matches up with what I've seen so far with my testing - I thought I
> might be able to get it to provide the full certificate chain to users,
> by playing around with the cafile settings, but no joy. Since all my
> browsers already trust my root CA, I thought that creating an
> intermediate CA for use by Squid would be sufficient. But no, I've had
> to install the intermediate CA on my browsers too. Feature request I
> guess?
>
> - Lindsay
Received on Wed Jun 22 2011 - 21:37:44 MDT