[squid-users] https_port and capath
senor
frio_cervesa at hotmail.com
Tue Mar 28 22:07:30 UTC 2017
Previous questions on this list referred to using the capath= option to https_port directive to fill in certificates missing in the chain to the Root CA trusted by the clients. I can not seem to get that to work.
I see no error in parsing even with debug on (debug section 3,9). The directive is read and no error produced but also no hint that the file pointed to by capath is used for anything. The SSL negotiation is not changed. The same 2 certs are passed. Just the signing cert and the signed cert.
directive:
https_port 192.168.12.10:8443 intercept ssl-bump cert=/etc/squid/mitm.crt key=/etc/squid/mitm.key cafile=/etc/squid/mitm_chain.crt generate-host-certificates=on dynamic_cert_mem_cache_size=32MB name=mitm
The RootCA.crt is trusted by clients.
The Root CA signed intermediate1
Intermediate1 signed intermediate2
cert=intermediate2
cafile=intermediate1
This command succeeds:
openssl verify -CAfile RootCA.crt -untrusted intermediate1.crt intermediateL2.crt
If the untrusted intermediate1 is added to client the MITM works.
I realize this wouldn't be used very often and I'd prefer not using it myself but it is necessary in this case.
Any hints?
Thanks in advance,
Senor
More information about the squid-users
mailing list