[squid-users] ssl bump intermediate certificate

Marek Greško mgresko8 at gmail.com
Sun Nov 3 21:24:27 UTC 2019 

Hello,

I already tried adding root ca to the pem file int the cert= option.
But it had no effect.

the squid -k parse seems good point.

I got: Ignoring non-issuer CA from /etc/squid/bump-CA/bump-ca.crt

If I add the root ca, that one is reported to be added, but still
ignoring the bump ca. Why is it ignoring my CA?

The reported purposeof the certificate is:
Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : Yes
S/MIME signing CA : No
S/MIME encryption : Yes
S/MIME encryption CA : No
CRL signing : Yes
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No

What am I doing wrong?

Thanks

Marek

2019-10-31 8:38 GMT+01:00, Amos Jeffries <squid3 at treenet.co.nz>:
> On 31/10/19 9:49 am, Marek Greško wrote:
>> Hello,
>>
>> Matus, I also found the document. It should be sending the chain, but
>> is not. When I specify cafile option it responds I shoud use
>> tls-cafile. But in either case it is not sending.
>>
>> Walter, if squid has such requirement, then it is unfinished. Every
>> other proxy is able to run its CA as an intermediate and clients
>> install only root CA. The proxy should be responsible to hold the
>> chain. The url Matus sent is the correct way how to do it, but is is
>> not working. At least not in 4.8 vesion.
>>
>
> "
> cafile=
>   File containing additional CA certificates to use
>   when verifying client certificates.
> "
>
> Note that last line. Squid-4 is more strict about its configured inputs
> being used for what they are documented as.
>
> The best place to put the chain is actually in the PEM file used in the
> cert= parameter. It should contain as much of the chain as you want
> Squid to send, starting with the proxies signing CA cert and going up
> the chained intermediate CA certs towards the root CA.
>
>
> Squid-4 will validate all certificates actually are a chain with correct
> sequence, ignoring any which are incorrect or out of sequence. Running
> "squid -k parse" will reports any errors loading the chain.
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>

More information about the squid-users mailing list