RE: [squid-users] SSLBump and intermedia CA Certificate.

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 23 Jun 2011 11:19:57 +1200

 On Wed, 22 Jun 2011 21:37:35 +0000, Ming Fu wrote:
> I am also interested in understanding the issue.
>
> Can squid send the certificate chain as a part of the negotiation?
> Apache is able to do that, so I think the underlining openssl is not
> the problem. This may require new configure option in the ssl_bump to
> tell squid where the certificate chain file is.

 It is indeed possible.
 The certificate generator is new and does not cover every possible
 situation of SSL. Patches welcome.

 Amos

>
> Ming
>
>
>> -----Original Message-----
>> From: Lindsay Hill [mailto:lindsayh_at_makonetworks.com]
>> Sent: Tuesday, June 07, 2011 11:31 PM
>> To: squid-users_at_squid-cache.org
>> Subject: Re: [squid-users] SSLBump and intermedia CA Certificate.
>>
>> On 06/08/2011 02:52 PM, Amos Jeffries wrote:
>> > On Tue, 07 Jun 2011 11:54:52 +0200, Paweł Mojski wrote:
>> >> Hi all.
>> >>
>> >> Finally I successful implemented ssl-bump with dynamic
>> certificate
>> >> generation feature.
>> >> But, I don't know how to configure squid to use intermediate ca
>> >> certificate.
>> >> I generated Root CA, then using Root CA i signed Intermediate CA
>> >> certificate and now, I want squid to use this Intermediate CA
>> >> Certificate while generating certs for https connections.
>> >> Then I want to import Root CA certificate into Windows PKI to
>> solve
>> >> "Unknown CA" error while surfing https pages.
>> >> How can I do that?
>> >
>> > The client must have a full chain of trust from the root all the
>> way
>> > down to the end certificate during the transactions. I think you
>> may
>> > find that signing with an intermediate CA needs to install both
>> the
>> > root and the intermediate public CA on the clients.
>> >
>> >
>> >> I'm looking around cafile, capath of ssl-bump options but nothing
>> >> works for me.
>> >
>> > http://wiki.squid-cache.org/Features/SslBump
>> >
>> > To squid there is only the cert PEM you told it to sign with.
>> >
>> > Amos
>> >
>>
>> This matches up with what I've seen so far with my testing - I
>> thought I
>> might be able to get it to provide the full certificate chain to
>> users,
>> by playing around with the cafile settings, but no joy. Since all my
>> browsers already trust my root CA, I thought that creating an
>> intermediate CA for use by Squid would be sufficient. But no, I've
>> had
>> to install the intermediate CA on my browsers too. Feature request I
>> guess?
>>
>> - Lindsay
Received on Wed Jun 22 2011 - 23:20:02 MDT

This archive was generated by hypermail 2.2.0 : Thu Jun 23 2011 - 12:00:02 MDT