[squid-users] Squid Proxy SSL Bump Certificates

Antony Stone Antony.Stone at squid.open.source.it
Thu Jun 30 09:04:38 UTC 2016

On Thursday 30 June 2016 at 10:53:57, info at comunicacionesman.com wrote:

> What I'm trying to do now is to use an external certificate from a
> trusted certificate authority (in this case I'm using a free SSL
> certificate from comodo), but I can't see my certificate in the
> certificates list when enabling SSL Man in the middle. I can only see
> CA's, which are certificate authorities, but when I upload comodo's Root
> CA certificate and select it, service does not start. Throws this error:
> Jun 30 08:52:40	squid		No valid signing SSL certificate configured
> for HTTP_port
> Does Squid not accept a SSL Certificate from external authorities or am
> I missing something?

Squid would be quite happy to accept a certificate from external authorities, 
but you will never get one.

You're missing the significance of the word "signing" in that error message.

What you have from Comodo is a signED certificate (and you also have the CA 
certificate to prove that they signed it).

What you do not have is a signING certificate (together with the accompanying 
private key) to be able to create and sign certificates on the fly, which is 
what Squid does for SSL MITM interception.

You will never get an appropriate key and certificate for this purpose from an 
external CA, because if they gave you those, you could forge certificates for 
any website on the Internet and their trust model would collapse.

SSL MITM has to be done with a self-signed certificate, and a self-generated CA 
certificate on the clients.


Python is executable pseudocode.
Perl is executable line noise.

                                                   Please reply to the list;
                                                         please *don't* CC me.

More information about the squid-users mailing list