[squid-users] Existing root certificate not working with SSL Bump (squid 3.3.10)

Amos Jeffries squid3 at treenet.co.nz
Sun Nov 30 06:13:53 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 27/11/2014 6:45 a.m., HaxNobody wrote:
> Alright, I figured out a possible cause. I downloaded the
> certificate that the browsers were complaining about, and used
> openssl verify to verify against the root certificate that I have.
> I got error 20, indicating that squid must not be using the correct
> root certificate to generate the client certificate on the fly, or
> that it is being generated incorrectly. The generated certificate
> shows all the correct properties of the root certificate that I am
> using, so my conclusion is that squid is incorrectly generating the
> client certificate.
> 
> Question: Under what circumstances might squid incorrectly generate
> a bump certificate?

In all circumstances involving client-first bumping, or a bug in Squid.

Other circumstances depend on your definitinon of "correct". Squid
3.3+ will mimic certificates *including errors* delivered by servers.


Also, Squid does not generate client certificates. It generates server
certificates. I assume that is what you are talking about.


> Another question: Why might it be working when I use a different
> root certificate?

a) possibly the client trusts only one out of the two root certificates.

b) possibly the non-working certificate is not properly installed in
the client.

c) possibly the non-trusted root certificate is part of a chain which
the client is not able to locate all the pieces for (leading to 'a').

d) possibly the root certificate has key extensions or usage
restrictions prohibiting what Squid usage requires (leading to 'a').


You will need to get a content dump of the certificates emitted by
Squid and a working system to see what the difference(s) are.

Amos

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUerWgAAoJELJo5wb/XPRjOnoH/ROsdsAnwe837rrCSgvmlb7N
y51KKl6axftQZs6HQKToYNZ4BkB1Hzgpn5mPxT9NlsbQm8yRGA42mhjHOWvJX4R7
WEsW6OlF+HNd/FVhahkJHSGmS/isSKRCK0B5fXuq0KX3dnTrZz6/53oNYXMXeyl+
j89d9JHSKUPVmvtEUfLEPYW5VDmaZfcmFL8WkUQ7Hi/ZOubnbL5gQPr67DF0r6qE
maZucqIHs5j0xP3ItLbcOxZQ5iCjmTmyNrxh0gyjZ3/OOTp1qpyRZQ6UPGqtnswt
UIGPgvayerMDNN+rAp82qZyLm70A4mmcHVY42d6haG4hGWb/WweEEhCZm6wS/TI=
=+5Ty
-----END PGP SIGNATURE-----


More information about the squid-users mailing list