[squid-users] ssl bump intermediate certificate
Amos Jeffries
squid3 at treenet.co.nz
Thu Oct 31 07:38:08 UTC 2019
On 31/10/19 9:49 am, Marek Greško wrote:
> Hello,
>
> Matus, I also found the document. It should be sending the chain, but
> is not. When I specify cafile option it responds I shoud use
> tls-cafile. But in either case it is not sending.
>
> Walter, if squid has such requirement, then it is unfinished. Every
> other proxy is able to run its CA as an intermediate and clients
> install only root CA. The proxy should be responsible to hold the
> chain. The url Matus sent is the correct way how to do it, but is is
> not working. At least not in 4.8 vesion.
>
"
cafile=
File containing additional CA certificates to use
when verifying client certificates.
"
Note that last line. Squid-4 is more strict about its configured inputs
being used for what they are documented as.
The best place to put the chain is actually in the PEM file used in the
cert= parameter. It should contain as much of the chain as you want
Squid to send, starting with the proxies signing CA cert and going up
the chained intermediate CA certs towards the root CA.
Squid-4 will validate all certificates actually are a chain with correct
sequence, ignoring any which are incorrect or out of sequence. Running
"squid -k parse" will reports any errors loading the chain.
Amos
More information about the squid-users
mailing list