[squid-users] Sending intermediate certificate with SSL-Bumped Certificate. (V3.5.1516-3-2-r14000)

Amos Jeffries squid3 at treenet.co.nz
Wed Apr 6 13:01:47 UTC 2016

On 6/04/2016 10:49 a.m., Nicolaas Hyatt wrote:
> I know I'm a few minor revisions behind, but I am a little confused as
> to if it is possible to request squid include the configured certificate
> along with the certificate generated. I know that this is somewhat
> confusing to read.
> +Root (Self Signed) CA Cert
> |
> `+ Intermediate Certificate (Used by squid.)
>  |
>  `- Squid Auto Generated Certificate
> I have the Self Signed Root CA Cert installed on all the systems, but
> the Intermediate Certificate is not sent by squid, so the trust chain
> fails. I have been reading threads here and there and saw a post form
> Amos a bit ago (referring to squid v3.3) where there may (or may not)
> have been a configuration option to modify squid's behavior to do as I
> am requesting, but details in the thread do not include the
> configuration directive.

FYI: each of the Squid 3.2 -> 4.0 series so far have had significantly
different TLS handling code. So commments about one series are unlikely
to be relevant to the others, particularly in regards to SSL-Bump

> If this is not a valid feature, I understand, and can fully accept that
> answer, I'm not complaining about free software!

This is one of the things that is currently still being sorted out. In
some cases the current releases should just send the certs, in some it
should not, in others it should but doesn't. So YMMV.

The patch that just went in today sounds to me like what you are
needing. So you might want to try the Squid-4.0.8 with this extra patch
(<http://www.squid-cache.org/Versions/v4/changesets/squid-4-14626.patch>) or
a 4.0 daily snapshot rev.14626 (or later) when it becomes available.


More information about the squid-users mailing list