[squid-users] Problem with certificates and SSLBump

Yuri Voinov yvoinov at gmail.com
Sat Jun 25 16:33:56 UTC 2016 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 
Use search.

Some days agi I've played around with ECDSA certs and drop it due to
extremal incompatibility with clients. Here was this thread.


25.06.2016 22:10, C. L. Martinez пишет:
> Hi all,
>
>  I have some problems with my squid config when I use certificates
generated with my internal CA. First, my ssl-bump config:
>
> acl DiscoverSNIHost at_step SslBump1
> acl NoSSLIntercept ssl::server_name_regex -i
"/etc/squid/acls/domains.nobump"
> ssl_bump peek DiscoverSNIHost
> ssl_bump splice NoSSLIntercept
> ssl_bump bump all
>
>  With this config, all works as expected (I need to add some domains
to domains.nobump, but gmail or google works without problems) only when
I use a self-signed certificate in squid generated using the following
commands:
>
> openssl genrsa -out server.key 4096
> openssl req -new -key server.key -x509 -days 365 -out server.crt
>
>  But when I sign squid's request certificate with my internal CA
(based on OpenBSD's LibreSSL), nothing works: gmail fails, google fails,
startpage fails, etc ... My internal CA is configured to use elliptic
cryptographic curve (secp384r1 for CA and prime256v1 for host's
certifcates).
>
>  Maybe is this the problem? Why when I use self-signed certificate all
works ok and not when I sign squid's certificate with my Internal CA?
>
> Thanks.
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXbrJ0AAoJENNXIZxhPexGxwUH/R1KurnKCQEbat6YwHQOTo7K
TvuvOoYKPpcmN/xNVhbfWTDAOrTd9uotDOZc8HU6mS+9V9L4dhGiwiIKM6iI0J08
invXAYNlG/Jayfqie2owdrsT++qr/0mqG1Ciz/aPlKxJWhgDqecvSLM7+Uig1NRR
YgeNZloON6wZI7WBKHZQ1wo91F6AtyeNzuXz/WX4JbPjS5XCuF/SUXTR4Z1VQhy6
uIrWsoZgJF0nWkkb9fvOpv3gKTfPE9NEMmPvbXPT9Nbh9wfQlXIRVIl/g5G2j1eI
gNV0fRmbdHXxYV94FXW5nJd8gK5Rv3TnFw3hgR/tdUke4eFwwVpjbqseNOqydk4=
=vlsj
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160625/8b03b18a/attachment.key>

More information about the squid-users mailing list