[squid-users] Problem with certificates and SSLBump

C. L. Martinez carlopmart at gmail.com
Sat Jun 25 16:10:11 UTC 2016

Hi all,

 I have some problems with my squid config when I use certificates generated with my internal CA. First, my ssl-bump config:

acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name_regex -i "/etc/squid/acls/domains.nobump"
ssl_bump peek DiscoverSNIHost
ssl_bump splice NoSSLIntercept
ssl_bump bump all

 With this config, all works as expected (I need to add some domains to domains.nobump, but gmail or google works without problems) only when I use a self-signed certificate in squid generated using the following commands:

openssl genrsa -out server.key 4096
openssl req -new -key server.key -x509 -days 365 -out server.crt

 But when I sign squid's request certificate with my internal CA (based on OpenBSD's LibreSSL), nothing works: gmail fails, google fails, startpage fails, etc ... My internal CA is configured to use elliptic cryptographic curve (secp384r1 for CA and prime256v1 for host's certifcates).

 Maybe is this the problem? Why when I use self-signed certificate all works ok and not when I sign squid's certificate with my Internal CA?


C. L. Martinez

More information about the squid-users mailing list