<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>You talked about two different things.</p>
<p>1. root CA usually built-in in clients. For standalone use, root
CA (from Mozilla) usually distributes with openssl distributions.
If you need (or your openssl distribution does not contains root
CAs), you can find separately distributed Mozilla CA's by short
googling: <br>
</p>
<p><a class="moz-txt-link-freetext" href="https://www.google.com/search?q=Mozilla+CA+bundle">https://www.google.com/search?q=Mozilla+CA+bundle</a></p>
<p>2. Intermediate CA's is subordinate for roots CA. It does not
exists by gouverned repository (because of supporting it is work,
manual work and should be do by somebody), moreover, it spreaded
across CA authorities. There is no automated tool to support this
_intermediate_list. The problem also: intermediate CA's usuallu
has much short validity period instead of roots, and should
supports all time at time.</p>
<p>Finally - it you want to use Squid with SSL Bump, you should
understand PKI infrastructure and yes - you should support root CA
& intermediate CAs on proxy by yourself all time. There is no
free or payment basis service which is do it for you.<br>
</p>
<br>
<div class="moz-cite-prefix">18.04.2017 19:35, Olly Lennox пишет:<br>
</div>
<blockquote type="cite"
cite="mid:1954807168.2701725.1492522550674@mail.yahoo.com">
<div style="color:#000; background-color:#fff;
font-family:Helvetica Neue, Helvetica, Arial, Lucida Grande,
sans-serif;font-size:13px">
<div id="yui_3_16_0_ym19_1_1492518293756_49171" dir="ltr"><span
id="yui_3_16_0_ym19_1_1492518293756_49209">So anyone who
wants to use Squid over HTTPS in the way has to build this
repository themselves by manually downloading all the CA
bundles?</span></div>
<div id="yui_3_16_0_ym19_1_1492518293756_49172"> </div>
<div id="yui_3_16_0_ym19_1_1492518293756_49172"><br>
</div>
<div class="qtdSeparateBR"><br>
<br>
</div>
<div class="yahoo_quoted"
id="yui_3_16_0_ym19_1_1492518293756_49251" style="display:
block;">
<div style="font-family: Helvetica Neue, Helvetica, Arial,
Lucida Grande, sans-serif; font-size: 13px;"
id="yui_3_16_0_ym19_1_1492518293756_49250">
<div style="font-family: HelveticaNeue, Helvetica Neue,
Helvetica, Arial, Lucida Grande, Sans-Serif; font-size:
16px;" id="yui_3_16_0_ym19_1_1492518293756_49249">
<div dir="ltr" id="yui_3_16_0_ym19_1_1492518293756_49259">
<font id="yui_3_16_0_ym19_1_1492518293756_49258"
face="Arial" size="2">
<hr id="yui_3_16_0_ym19_1_1492518293756_49260"
size="1"> <b><span style="font-weight:bold;">From:</span></b>
Yuri <a class="moz-txt-link-rfc2396E" href="mailto:yvoinov@gmail.com"><yvoinov@gmail.com></a><br>
<b><span style="font-weight: bold;">To:</span></b>
Olly Lennox <a class="moz-txt-link-rfc2396E" href="mailto:oliver@lennox-it.uk"><oliver@lennox-it.uk></a>;
<a class="moz-txt-link-rfc2396E" href="mailto:squid-users@lists.squid-cache.org">"squid-users@lists.squid-cache.org"</a>
<a class="moz-txt-link-rfc2396E" href="mailto:squid-users@lists.squid-cache.org"><squid-users@lists.squid-cache.org></a> <br>
<b><span style="font-weight: bold;">Sent:</span></b>
Tuesday, 18 April 2017, 14:03<br>
<b><span style="font-weight: bold;">Subject:</span></b>
Re: [squid-users] HTTPS woes<br>
</font> </div>
<div class="y_msg_container"
id="yui_3_16_0_ym19_1_1492518293756_49248"><br>
<div id="yiv7898254183">
<div id="yui_3_16_0_ym19_1_1492518293756_49247">
<div id="yui_3_16_0_ym19_1_1492518293756_49257"><br
clear="none">
</div>
<br clear="none">
<div class="yiv7898254183moz-cite-prefix"
id="yui_3_16_0_ym19_1_1492518293756_49256">18.04.2017
18:56, Olly Lennox пишет:<br clear="none">
</div>
<blockquote type="cite"
id="yui_3_16_0_ym19_1_1492518293756_49253">
<div
style="color:#000;background-color:#fff;font-family:Helvetica
Neue, Helvetica, Arial, Lucida Grande,
sans-serif;font-size:13px;"
id="yui_3_16_0_ym19_1_1492518293756_49252">
<div dir="ltr"
id="yiv7898254183yui_3_16_0_ym19_1_1492518293756_14933"><span>I'm
using </span></div>
<div dir="ltr"
id="yiv7898254183yui_3_16_0_ym19_1_1492518293756_14933"><br
clear="none">
</div>
<div dir="ltr"
id="yiv7898254183yui_3_16_0_ym19_1_1492518293756_14933">sslproxy_foreign_intermediate_certs</div>
<div dir="ltr"
id="yiv7898254183yui_3_16_0_ym19_1_1492518293756_14933"><br
clear="none">
</div>
<div dir="ltr"
id="yiv7898254183yui_3_16_0_ym19_1_1492518293756_14933">Is
this the same thing? <br clear="none">
</div>
</div>
</blockquote>
No. You firstly required CA roots available for
squid. CA roots and intermediate is the different
things.<br clear="none">
<blockquote type="cite"
id="yui_3_16_0_ym19_1_1492518293756_49255">
<div
style="color:#000;background-color:#fff;font-family:Helvetica
Neue, Helvetica, Arial, Lucida Grande,
sans-serif;font-size:13px;"
id="yui_3_16_0_ym19_1_1492518293756_49254">
<div dir="ltr"
id="yiv7898254183yui_3_16_0_ym19_1_1492518293756_14933"><br
clear="none">
</div>
<div dir="ltr"
id="yiv7898254183yui_3_16_0_ym19_1_1492518293756_14933">Also
is there anywhere to get a bundle of all the
major CA intermdiate certs or do you have to
download them all manually?</div>
</div>
</blockquote>
No. You should build it by yourself.
<div class="yiv7898254183yqt6360993177"
id="yiv7898254183yqtfd66056"><br clear="none">
<blockquote type="cite"
id="yui_3_16_0_ym19_1_1492518293756_49262">
<div
style="color:#000;background-color:#fff;font-family:Helvetica
Neue, Helvetica, Arial, Lucida Grande,
sans-serif;font-size:13px;"
id="yui_3_16_0_ym19_1_1492518293756_49261">
<div dir="ltr"
id="yiv7898254183yui_3_16_0_ym19_1_1492518293756_14933"><br
clear="none">
</div>
<div dir="ltr"
id="yiv7898254183yui_3_16_0_ym19_1_1492518293756_14933">Cheers,</div>
<div
id="yiv7898254183yui_3_16_0_ym19_1_1492518293756_14934"> </div>
<div class="yiv7898254183signature"
id="yiv7898254183yui_3_16_0_ym19_1_1492518293756_14906"><a
rel="nofollow" shape="rect"
class="yiv7898254183moz-txt-link-abbreviated"
ymailto="mailto:oliver@lennox-it.uk"
target="_blank"
href="mailto:oliver@lennox-it.uk"
id="yui_3_16_0_ym19_1_1492518293756_49263"
moz-do-not-send="true">oliver@lennox-it.uk</a><br
clear="none">
<a rel="nofollow" shape="rect"
target="_blank"
href="http://lennox-it.uk/"
moz-do-not-send="true">lennox-it.uk</a><br
clear="none">
tel: 07900 648 252</div>
<div class="yiv7898254183qtdSeparateBR"
id="yiv7898254183yui_3_16_0_ym19_1_1492518293756_14935"><br
clear="none">
<br clear="none">
</div>
<div class="yiv7898254183yahoo_quoted"
id="yiv7898254183yui_3_16_0_ym19_1_1492518293756_14881"
style="display:block;">
<div
id="yiv7898254183yui_3_16_0_ym19_1_1492518293756_14880"
style="font-family:Helvetica Neue,
Helvetica, Arial, Lucida Grande,
sans-serif;font-size:13px;">
<div
id="yiv7898254183yui_3_16_0_ym19_1_1492518293756_14879"
style="font-family:HelveticaNeue,
Helvetica Neue, Helvetica, Arial, Lucida
Grande, Sans-Serif;font-size:16px;">
<div dir="ltr"
id="yiv7898254183yui_3_16_0_ym19_1_1492518293756_14905">
<font
id="yiv7898254183yui_3_16_0_ym19_1_1492518293756_14904"
face="Arial" size="2"> </font>
<hr
id="yiv7898254183yui_3_16_0_ym19_1_1492518293756_14936"
size="1"> <b><span
style="font-weight:bold;">From:</span></b>
Yuri <a rel="nofollow" shape="rect"
class="yiv7898254183moz-txt-link-rfc2396E"
ymailto="mailto:yvoinov@gmail.com"
target="_blank"
href="mailto:yvoinov@gmail.com"
id="yui_3_16_0_ym19_1_1492518293756_49264"
moz-do-not-send="true"><yvoinov@gmail.com></a><br
clear="none">
<b><span style="font-weight:bold;">To:</span></b>
<a rel="nofollow" shape="rect"
class="yiv7898254183moz-txt-link-abbreviated"
ymailto="mailto:squid-users@lists.squid-cache.org" target="_blank"
href="mailto:squid-users@lists.squid-cache.org"
moz-do-not-send="true">squid-users@lists.squid-cache.org</a>
<br clear="none">
<b><span style="font-weight:bold;">Sent:</span></b>
Tuesday, 18 April 2017, 13:51<br
clear="none">
<b><span style="font-weight:bold;">Subject:</span></b>
Re: [squid-users] HTTPS woes<br
clear="none">
</div>
<div
class="yiv7898254183y_msg_container"
id="yiv7898254183yui_3_16_0_ym19_1_1492518293756_14878"><br
clear="none">
<div dir="ltr"
id="yiv7898254183yui_3_16_0_ym19_1_1492518293756_14877">Try
to specify roots CA bundle/dir
explicity by specifying one of this
<br clear="none">
params:<br clear="none">
<br clear="none">
<br clear="none">
# TAG: sslproxy_cafile<br
clear="none">
# file containing CA certificates
to use when verifying server<br
clear="none">
# certificates while proxying <a
rel="nofollow" shape="rect"
class="yiv7898254183moz-txt-link-freetext"
href="" moz-do-not-send="true">https://</a>
URLs<br clear="none">
#Default:<br clear="none">
# none<br clear="none">
<br clear="none">
# TAG: sslproxy_capath<br
clear="none">
# directory containing CA
certificates to use when verifying<br
clear="none">
# server certificates while
proxying <a rel="nofollow"
shape="rect"
class="yiv7898254183moz-txt-link-freetext"
href="" moz-do-not-send="true">https://</a>
URLs<br clear="none">
#Default:<br clear="none">
# none<br clear="none">
<br clear="none">
<br clear="none">
<br clear="none">
18.04.2017 18:46, Olly Lennox пишет:<br
clear="none">
> Hi All,<br clear="none">
><br clear="none">
> Still having problems here.
This is my https config now:<br
clear="none">
><br clear="none">
><br clear="none">
>
---------------------------------https_port
3129 intercept ssl-bump
generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB
cert=/etc/squid3/ssl_cert/squid.crt
key=/etc/squid3/ssl_cert/squid.key
options=NO_SSLv3
dhparams=/etc/squid3/ssl_cert/dhparam.pem<br
clear="none">
><br clear="none">
> acl step1 at_step SslBump1<br
clear="none">
> ssl_bump peek step1<br
clear="none">
> ssl_bump bump all<br
clear="none">
> sslproxy_options
NO_SSLv2,NO_SSLv3,SINGLE_DH_USE<br
clear="none">
> sslproxy_cipher
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS<br
clear="none">
><br clear="none">
> sslcrtd_program
/usr/lib/squid3/ssl_crtd -s
/var/lib/ssl_db -M 4MB<br
clear="none">
> sslcrtd_children 8 startup=1
idle=1<br clear="none">
><br clear="none">
>
---------------------------------<br
clear="none">
><br clear="none">
><br clear="none">
> I'm running version 3.5.23 with
openssl 1.0. I've had to disable
libecap because I couldn't build 3.5
with ecap enabled. I'm getting the
following error when trying to
connect with SSL:<br clear="none">
><br clear="none">
>
---------------------------------<br
clear="none">
><br clear="none">
> The following error was
encountered while trying to retrieve
the URL: <a rel="nofollow"
shape="rect" target="_blank"
href="https://www.google.co.uk/*"
moz-do-not-send="true">https://www.google.co.uk/*</a><br
clear="none">
><br clear="none">
> Failed to establish a secure
connection to 216.58.198.67<br
clear="none">
><br clear="none">
> The system returned:<br
clear="none">
><br clear="none">
> (71) Protocol error (TLS code:
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)<br clear="none">
> SSL Certficate error:
certificate issuer (CA) not known:
/C=US/O=Equifax/OU=Equifax Secure
Certificate Authority<br
clear="none">
><br clear="none">
> This proxy and the remote host
failed to negotiate a mutually
acceptable security settings for
handling your request. It is
possible that the remote host does
not support secure connections, or
the proxy is not satisfied with the
host security credentials.<br
clear="none">
><br clear="none">
> Your cache administrator is
webmaster.<br clear="none">
><br clear="none">
> Generated Tue, 18 Apr 2017
12:23:40 GMT by raspberrypi
(squid/3.5.23)<br clear="none">
>
---------------------------------<br
clear="none">
><br clear="none">
> The CA is always listed as not
known not matter what site I try I
always get this error.<br
clear="none">
><br clear="none">
> Any ideas?<br clear="none">
><br clear="none">
> Thanks,<br clear="none">
><br clear="none">
> Olly<br clear="none">
><br clear="none">
>
________________________________<br
clear="none">
> From: Olly Lennox <<a
rel="nofollow" shape="rect"
ymailto="mailto:oliver@lennox-it.uk"
target="_blank"
href="mailto:oliver@lennox-it.uk"
moz-do-not-send="true">oliver@lennox-it.uk</a>><br
clear="none">
> To: Amos Jeffries <<a
rel="nofollow" shape="rect"
ymailto="mailto:squid3@treenet.co.nz"
target="_blank"
href="mailto:squid3@treenet.co.nz"
moz-do-not-send="true">squid3@treenet.co.nz</a>>;
"<a rel="nofollow" shape="rect"
ymailto="mailto:squid-users@lists.squid-cache.org"
target="_blank"
href="mailto:squid-users@lists.squid-cache.org"
moz-do-not-send="true">squid-users@lists.squid-cache.org</a>"
<<a rel="nofollow" shape="rect"
ymailto="mailto:squid-users@lists.squid-cache.org"
target="_blank"
href="mailto:squid-users@lists.squid-cache.org"
moz-do-not-send="true">squid-users@lists.squid-cache.org</a>><br
clear="none">
> Sent: Sunday, 16 April 2017,
9:31<br clear="none">
> Subject: Re: [squid-users]
HTTPS woes<br clear="none">
><br clear="none">
><br clear="none">
><br clear="none">
> Thanks Amos, it's finally built
but I had to disabled ecap, for
whatever reason this kept failing
(with version 1.0.1 installed). It
failed on a reference to the Area
function I think but I don't have
the error message copied. I'm trying
now to configure the ssl stare/peek
and will let you know how it goes.<br
clear="none">
><br clear="none">
> Olly<br clear="none">
> <br clear="none">
> <a rel="nofollow" shape="rect"
ymailto="mailto:oliver@lennox-it.uk" target="_blank"
href="mailto:oliver@lennox-it.uk"
moz-do-not-send="true">oliver@lennox-it.uk</a><br
clear="none">
> lennox-it.uk<br clear="none">
> tel: 07900 648 252<br
clear="none">
><br clear="none">
><br clear="none">
><br clear="none">
>
________________________________<br
clear="none">
> From: Amos Jeffries <<a
rel="nofollow" shape="rect"
ymailto="mailto:squid3@treenet.co.nz"
target="_blank"
href="mailto:squid3@treenet.co.nz"
moz-do-not-send="true">squid3@treenet.co.nz</a>><br
clear="none">
> To: <a rel="nofollow"
shape="rect"
ymailto="mailto:squid-users@lists.squid-cache.org"
target="_blank"
href="mailto:squid-users@lists.squid-cache.org"
moz-do-not-send="true">squid-users@lists.squid-cache.org</a><br
clear="none">
> Sent: Saturday, 15 April 2017,
23:07<br clear="none">
> Subject: Re: [squid-users]
HTTPS woes<br clear="none">
><br clear="none">
><br clear="none">
><br clear="none">
> On 15/04/2017 9:59 a.m., Olly
Lennox wrote:<br clear="none">
>> Hi Guys.<br clear="none">
>> I'm still struggling with
this. I'm trying to build a version
of 3.5 but I just can't get it to
work. I'm currently attempting to
rebuild the stretch package with SSL
enabled but build keeps failing with
the following:<br clear="none">
>>
../../src/ssl/gadgets.h:83:45:
error: âCRYPTO_LOCK_X509â was not
declared in this scope typedef
LockingPointer<X509,
X509_free_cpp, CRYPTO_LOCK_X509>
X509_Pointer;
^~~~~~~~~~~~~~~~../../src/ssl/gadgets.h:83:61:
error: template argument 3 is
invalid typedef
LockingPointer<X509,
X509_free_cpp, CRYPTO_LOCK_X509>
X509_Pointer;
^../../src/ssl/gadgets.h:89:53:
error: âCRYPTO_LOCK_EVP_PKEYâ was
not declared in this scope typedef
LockingPointer<EVP_PKEY,
EVP_PKEY_free_cpp,
CRYPTO_LOCK_EVP_PKEY>
EVP_PKEY_Pointer;
^~~~~~~~~~~~~~~~~~~~../../src/ssl/gadgets.h:89:73:
error: template argument 3 is
invalid typedef
LockingPointer<EVP_PKEY,
EVP_PKEY_free_cpp,
CRYPTO_LOCK_EVP_PKEY>
EVP_PKEY_Pointer;
^../../src/ssl/gadgets.h:116:43:
error: âCRYPTO_LOCK_SSLâ was not
declared in this scope typedef
LockingPointer<SSL, SSL_free_cpp,
CRYPTO_LOCK_SSL> SSL_Pointer;
^~~~~~~~~~~~~~~../../src/ssl/gadgets.h:116:58:
error: template argument 3 is
invalid typedef
LockingPointer<SSL, SSL_free_cpp,
CRYPTO_LOCK_SSL> SSL_Pointer;
^<br clear="none">
>> Any ideas?<br clear="none">
><br clear="none">
><br clear="none">
> On Jesse/stable:<br
clear="none">
><br clear="none">
> apt-get build-dep squid3<br
clear="none">
> apt-get install libss-dev<br
clear="none">
><br clear="none">
><br clear="none">
> On stretch/testing/unstable:<br
clear="none">
><br clear="none">
> apt-get build-dep squid<br
clear="none">
> apt-get install libss1.0-dev<br
clear="none">
><br clear="none">
><br clear="none">
> That should do it for you.<br
clear="none">
><br clear="none">
> Amos<br clear="none">
><br clear="none">
><br clear="none">
>
_______________________________________________<br
clear="none">
> squid-users mailing list<br
clear="none">
> <a rel="nofollow" shape="rect"
ymailto="mailto:squid-users@lists.squid-cache.org" target="_blank"
href="mailto:squid-users@lists.squid-cache.org"
moz-do-not-send="true">squid-users@lists.squid-cache.org</a><br
clear="none">
> <a rel="nofollow" shape="rect"
target="_blank"
href="http://lists.squid-cache.org/listinfo/squid-users"
moz-do-not-send="true">http://lists.squid-cache.org/listinfo/squid-users</a><br
clear="none">
><br clear="none">
><br clear="none">
><br clear="none">
>
_______________________________________________<br
clear="none">
> squid-users mailing list<br
clear="none">
> <a rel="nofollow" shape="rect"
ymailto="mailto:squid-users@lists.squid-cache.org" target="_blank"
href="mailto:squid-users@lists.squid-cache.org"
moz-do-not-send="true">squid-users@lists.squid-cache.org</a><br
clear="none">
> <a rel="nofollow" shape="rect"
target="_blank"
href="http://lists.squid-cache.org/listinfo/squid-users"
moz-do-not-send="true">http://lists.squid-cache.org/listinfo/squid-users</a>
<div
class="yiv7898254183yqt8677547277"
id="yiv7898254183yqtfd81681"><br
clear="none">
>
_______________________________________________<br
clear="none">
> squid-users mailing list<br
clear="none">
> <a rel="nofollow"
shape="rect"
ymailto="mailto:squid-users@lists.squid-cache.org"
target="_blank"
href="mailto:squid-users@lists.squid-cache.org"
moz-do-not-send="true">squid-users@lists.squid-cache.org</a><br
clear="none">
> <a rel="nofollow"
shape="rect" target="_blank"
href="http://lists.squid-cache.org/listinfo/squid-users"
moz-do-not-send="true">http://lists.squid-cache.org/listinfo/squid-users</a><br
clear="none">
<br clear="none">
<br clear="none">
_______________________________________________<br clear="none">
squid-users mailing list<br
clear="none">
<a rel="nofollow" shape="rect"
ymailto="mailto:squid-users@lists.squid-cache.org"
target="_blank"
href="mailto:squid-users@lists.squid-cache.org"
moz-do-not-send="true">squid-users@lists.squid-cache.org</a><br
clear="none">
<a rel="nofollow" shape="rect"
target="_blank"
href="http://lists.squid-cache.org/listinfo/squid-users"
moz-do-not-send="true">http://lists.squid-cache.org/listinfo/squid-users</a><br
clear="none">
</div>
</div>
<br clear="none">
<br clear="none">
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br clear="none">
</div>
</div>
</div>
<br>
<br>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
<div class="moz-signature">-- <br>
Bugs to the Future</div>
</body>
</html>