[squid-users] Existing root certificate not working with SSL Bump (squid 3.3.10)

Amos Jeffries squid3 at treenet.co.nz
Wed Nov 26 09:45:08 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 26/11/2014 5:38 a.m., HaxNobody wrote:
> Hello,
> 
> We are trying to configure Squid with SSL bump in order to filter
> traffic with a content filter. We have an existing self-signed root
> certificate and private key that we use successfully with other
> similar proxy software, and we wish to re-use it with Squid so that
> we don't have to distribute a new root certificate to our clients.
> 
> However, when we try to use our existing root with Squid, we get
> SSL errors from the browser and we are quite stumped as to why they
> are happening.

The story begins here:
https://www.imperialviolet.org/2011/05/04/pinning.html

.. the other browsers picked up and also started pinning domain
certificates some time ago.

The rest of the story is that Squid 3.3 is now quite old and in terms
of ssl-bump specifically is it outright obsolete technology. Your best
chance is to upgrade to the latest release and try again. A fix will
only be worth fixing (or even investigating) if the problem persists
with the latest Squid-3.5 (beta) ssl-bump features.

Amos

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUdaEkAAoJELJo5wb/XPRjCqEH/AhtJLeDaFEJfNDodZkcPLU/
KlvBtvPKQBkint01uNYONNSH5VEIRGBwoDcLmMeczswforgUjQPB6RfQEFbf0KU0
6vGT2c7i2l+vYHY4OBEkCFN1DklW/Z/caPjKfN8C2bJw863CtYLoMi3LUHH46txC
3xLeRHGerWY6AGUcSwvw0V33zGrhxXHgPugii6iTQ6juaCOJxpKiEyftwYGuCZxa
y1r4htpskSUjlJBX1N6Fj1cSuJ8L9rpsubEts/ENDeuPWj/YXHPX/N9iFhLQ6Trr
bMH9zc/CHOpxYJNJQIjnowQNMh2oeEc3pISnSRSgoEDEXZ28kg9qi97SdeR8ayQ=
=N4Au
-----END PGP SIGNATURE-----


More information about the squid-users mailing list