[squid-users] ssl bump intermediate certificate

Amos Jeffries squid3 at treenet.co.nz
Thu Oct 31 07:38:08 UTC 2019


On 31/10/19 9:49 am, Marek GreŇ°ko wrote:
> Hello,
> 
> Matus, I also found the document. It should be sending the chain, but
> is not. When I specify cafile option it responds I shoud use
> tls-cafile. But in either case it is not sending.
> 
> Walter, if squid has such requirement, then it is unfinished. Every
> other proxy is able to run its CA as an intermediate and clients
> install only root CA. The proxy should be responsible to hold the
> chain. The url Matus sent is the correct way how to do it, but is is
> not working. At least not in 4.8 vesion.
> 

"
cafile=
  File containing additional CA certificates to use
  when verifying client certificates.
"

Note that last line. Squid-4 is more strict about its configured inputs
being used for what they are documented as.

The best place to put the chain is actually in the PEM file used in the
cert= parameter. It should contain as much of the chain as you want
Squid to send, starting with the proxies signing CA cert and going up
the chained intermediate CA certs towards the root CA.


Squid-4 will validate all certificates actually are a chain with correct
sequence, ignoring any which are incorrect or out of sequence. Running
"squid -k parse" will reports any errors loading the chain.

Amos


More information about the squid-users mailing list