[squid-users] Squid 4 and missing intermediate certs

Alex Crow acrow at integrafin.co.uk
Fri Jan 26 09:30:05 UTC 2018


Hi List,

I've just set up a new SSL interception proxy using peek/splice/bump 
using squid 4.0.22 and I'm getting SSL errors on some site indicating 
missing intermediate certs as described here:

https://blog.diladele.com/2015/04/21/fixing-x509_v_err_unable_to_get_issuer_cert_locally-on-ssl-bumping-squid/

I have read the wiki and I see this on the SslBumpExplicit page:

"Squid-4 <https://wiki.squid-cache.org/Squid-4> is capable of 
downloading missing intermediate CA certificates, like popular browsers do."

However I'm finding that I have to follow the procedure in the diladele 
article and manually install the intermediate certs into the PKI trust 
to work around this.

My interception config is like this:

ssl_bump splice localhost
ssl_bump peek step1 all
ssl_bump splice nobumpdoms
ssl_bump stare step2 all
ssl_bump bump all

nobumpdoms is an acl pointing to a file listing domains that should not 
be subject to interception, and works fine.

Is there something else I have to specify to get squid4 to behave as 
described on the wiki?

Many thanks,

Alex


--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.

"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180126/f936282c/attachment.html>


More information about the squid-users mailing list