[squid-users] SSLBUMP certificate verify failed

Amos Jeffries squid3 at treenet.co.nz
Tue Jan 19 00:02:31 UTC 2016


On 18/01/2016 10:13 a.m., Roman Gelfand wrote:
> I am not sure where I am going wrong here...
> 
> 
> ssl bump certificate
> openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -keyout
> squidCA.pem  -out squidCA.pem
> 
> The der certificate was generated and deployed on client computer trusted
> root
> openssl x509 -in squidCA.pem -outform DER -out squidCA.der
> 
> 
> squid.conf
> http_port 3128 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/usr/local/ssl_cert/squidCA.pem
> 

What makes you think the squid-to-client certificate details have
anything to do with the server-to-squid certificate failing to verify?

Your issue is probably:

* outdated Trusted CAs installed on the Squid machine, and/or
* the certificate the server is presenting to Squid being invalid, and/or
* the certificate chain being presented by the server being icomplete,
and/or
* non-TLS response coming back to Squid from the server, and/or
* someone else MITM'ing the connection upstream of Squid.

Amos


More information about the squid-users mailing list