[squid-users] Existing root certificate not working with SSL Bump (squid 3.3.10)

HaxNobody nobody at hushmail.com
Tue Nov 25 16:38:13 UTC 2014


Hello,

We are trying to configure Squid with SSL bump in order to filter traffic
with a content filter. We have an existing self-signed root certificate and
private key that we use successfully with other similar proxy software, and
we wish to re-use it with Squid so that we don't have to distribute a new
root certificate to our clients.

However, when we try to use our existing root with Squid, we get SSL errors
from the browser and we are quite stumped as to why they are happening. We
have provided the certificate and private key to Squid and it is
successfully decrypting and re-encrypting the traffic after sending it
through our filter. The message we get from Firefox is as follows:

"www.google.com uses an invalid security certificate. The certificate is not
trusted because no issuer chain was provided. (Error code:
sec_error_unknown_issuer)"

Chrome says:

"NET::ERR_CERT_AUTHORITY_INVALID"

Please note that this happens with any SSL site, not just Google. If we go
and view the certificate that the browser sees, it appears to be valid and
it shows the issuer as our custom root certificate, as expected. As I
mentioned previously, this root is already installed into Firefox (and into
the windows trusted root store as well). Internet Explorer and Google Chrome
give similar errors.

I have used openssl to verify that the modulus on the key and the
certificate match (they do). Oddly, we can generate a new certificate and it
will work correctly as expected, although that would require us to
distribute a new root. Does anyone have any idea why our existing root will
not work, but a new one will? Does Squid require certain extensions or other
things that our existing certificate might not have?



--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Existing-root-certificate-not-working-with-SSL-Bump-squid-3-3-10-tp4668515.html
Sent from the Squid - Users mailing list archive at Nabble.com.


More information about the squid-users mailing list