RE: [squid-users] SSLBump and intermedia CA Certificate.

Hi Amos,

I am trying to make the intermediate certs into the dynamic ssl connection.
Based on the code, the "cert" entry of http_port configure is actually a cert chain file. So the configure does have enough info for the intermediate cert chain to work. What is missing is when the SSL_CTX is dynamically generated, it only added the resigned server cert without the chain of certs.

My current difficulty is after I located the dynamic SSL_CTX context, how can I find the resigning cert chain defined in configure line
        http_port ..... cert=certfile....

Is it stored in some global?

Regards,
Ming

> -----Original Message-----
> From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
> Sent: Wednesday, June 22, 2011 7:20 PM
> To: squid-users_at_squid-cache.org
> Subject: RE: [squid-users] SSLBump and intermedia CA Certificate.
>
> On Wed, 22 Jun 2011 21:37:35 +0000, Ming Fu wrote:
> > I am also interested in understanding the issue.
> >
> > Can squid send the certificate chain as a part of the negotiation?
> > Apache is able to do that, so I think the underlining openssl is not
> > the problem. This may require new configure option in the ssl_bump to
> > tell squid where the certificate chain file is.
>
> It is indeed possible.
> The certificate generator is new and does not cover every possible
> situation of SSL. Patches welcome.
>
> Amos
>
> >
> > Ming
> >
> >
> >> -----Original Message-----
> >> From: Lindsay Hill [mailto:lindsayh_at_makonetworks.com]
> >> Sent: Tuesday, June 07, 2011 11:31 PM
> >> To: squid-users_at_squid-cache.org
> >> Subject: Re: [squid-users] SSLBump and intermedia CA Certificate.
> >>
> >> On 06/08/2011 02:52 PM, Amos Jeffries wrote:
> >> > On Tue, 07 Jun 2011 11:54:52 +0200, Paweł Mojski wrote:
> >> >> Hi all.
> >> >>
> >> >> Finally I successful implemented ssl-bump with dynamic
> >> certificate
> >> >> generation feature.
> >> >> But, I don't know how to configure squid to use intermediate ca
> >> >> certificate.
> >> >> I generated Root CA, then using Root CA i signed Intermediate CA
> >> >> certificate and now, I want squid to use this Intermediate CA
> >> >> Certificate while generating certs for https connections.
> >> >> Then I want to import Root CA certificate into Windows PKI to
> >> solve
> >> >> "Unknown CA" error while surfing https pages.
> >> >> How can I do that?
> >> >
> >> > The client must have a full chain of trust from the root all the
> >> way
> >> > down to the end certificate during the transactions. I think you
> >> may
> >> > find that signing with an intermediate CA needs to install both
> >> the
> >> > root and the intermediate public CA on the clients.
> >> >
> >> >
> >> >> I'm looking around cafile, capath of ssl-bump options but nothing
> >> >> works for me.
> >> >
> >> > http://wiki.squid-cache.org/Features/SslBump
> >> >
> >> > To squid there is only the cert PEM you told it to sign with.
> >> >
> >> > Amos
> >> >
> >>
> >> This matches up with what I've seen so far with my testing - I
> >> thought I
> >> might be able to get it to provide the full certificate chain to
> >> users,
> >> by playing around with the cafile settings, but no joy. Since all my
> >> browsers already trust my root CA, I thought that creating an
> >> intermediate CA for use by Squid would be sufficient. But no, I've
> >> had
> >> to install the intermediate CA on my browsers too. Feature request I
> >> guess?
> >>
> >> - Lindsay

Received on Mon Jul 04 2011 - 19:25:50 MDT