[squid-users] https_port ... tls-cert=... missing the chain in the handshake

Tue Mar 29 13:19:43 UTC 2022

Trying to set up a non-transparent forward proxy with TLS,
using squid 4.10-1ubuntu1.5 (ubuntu 20.04)
config line
`https_port 12345 tls-cert=/etc/letsencrypt/.../fullchain.pem
tls-key=/etc/letsencrypt/.../privkey.pem`
When establishing a TLS connection to that port, squid seems to return only
the domain certificate from the certificate chain:

$ openssl s_client -showcerts -connect hostname:12345 | grep -v
'^[A-Za-z0-9]'
depth=0 CN = ...
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = ...
verify error:num=21:unable to verify the first certificate
verify return:1
---
0 s:CN = ...
  i:C = US, O = Let's Encrypt, CN = R3
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

While nginx, using the same pair of files, works correctly:

$ openssl s_client -showcerts -connect hostname:443 | grep -v
'^[A-Za-z0-9]'
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = ...
verify return:1
---
0 s:CN = ...
  i:C = US, O = Let's Encrypt, CN = R3
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
1 s:C = US, O = Let's Encrypt, CN = R3
  i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
  i:O = Digital Signature Trust Co., CN = DST Root CA X3
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

Am I missing some configuration option, or is this a squid4 bug?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20220329/ee732a0c/attachment.htm>