[squid-users] Ssl-bump deep dive (self-signed certs in chain)
James Lay
jlay at slave-tothe-box.net
Mon May 25 16:26:28 UTC 2015
So following advice and instructions on this page:
http://wiki.squid-cache.org/Features/DynamicSslCert
I have set up my lab with explicit proxy by exporting http_proxy and
https_proxy. After creating the self-signed root CA certificate above
and creating the .der file for the client, here are my results:
>From the squid side:
2015/05/25 10:02:20.161| Using certificate
in /opt/etc/squid/certs/SquidCA.pem
2015/05/25 10:02:20.170| support.cc(1743) readSslX509CertificatesChain:
Certificate is self-signed, will not be chained
I get the below when I don't specify a CA with curl, otherwise when I do
I get no error:
2015/05/25 09:21:02.229| Error negotiating SSL connection on FD 12:
error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0)
And from the client side:
root at kali:~/test# curl -v https://mail.slave-tothe-box.net
* About to connect() to proxy 192.168.1.9 port 3129 (#0)
* Trying 192.168.1.9...
* connected
* Connected to 192.168.1.9 (192.168.1.9) port 3129 (#0)
* Establish HTTP proxy tunnel to mail.slave-tothe-box.net:443
> CONNECT mail.slave-tothe-box.net:443 HTTP/1.1
> Host: mail.slave-tothe-box.net:443
> User-Agent: curl/7.26.0
> Proxy-Connection: Keep-Alive
>
* Easy mode waiting response from proxy CONNECT
< HTTP/1.1 200 Connection established
<
* Proxy replied OK to CONNECT request
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: self signed certificate in certificate chain
* Closing connection #0
And testing with specifying the .der file:
root at kali:~/test# curl --cacert /etc/ssl/certs/SquidCA.der -v
https://mail.slave-tothe-box.net
* About to connect() to proxy 192.168.1.9 port 3129 (#0)
* Trying 192.168.1.9...
* connected
* Connected to 192.168.1.9 (192.168.1.9) port 3129 (#0)
* Establish HTTP proxy tunnel to mail.slave-tothe-box.net:443
> CONNECT mail.slave-tothe-box.net:443 HTTP/1.1
> Host: mail.slave-tothe-box.net:443
> User-Agent: curl/7.26.0
> Proxy-Connection: Keep-Alive
>
* Easy mode waiting response from proxy CONNECT
< HTTP/1.1 200 Connection established
<
* Proxy replied OK to CONNECT request
* error setting certificate verify locations:
CAfile: /etc/ssl/certs/SquidCA.der
CApath: /etc/ssl/certs
* Closing connection #0
curl: (77) error setting certificate verify locations:
CAfile: /etc/ssl/certs/SquidCA.der
CApath: /etc/ssl/certs
I can confirm that the server is using a bona-fide certificate issued
from StartSSL and works, so at this point I'm open to suggestions.
Thank you.
James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150525/926713f8/attachment.html>
More information about the squid-users
mailing list