[squid-users] Ssl-bump deep dive (self-signed certs in chain)

James Lay jlay at slave-tothe-box.net
Mon May 25 16:26:28 UTC 2015


So following advice and instructions on this page:

http://wiki.squid-cache.org/Features/DynamicSslCert

I have set up my lab with explicit proxy by exporting http_proxy and
https_proxy.  After creating the self-signed root CA certificate above
and creating the .der file for the client, here are my results:

>From the squid side:
2015/05/25 10:02:20.161| Using certificate
in /opt/etc/squid/certs/SquidCA.pem
2015/05/25 10:02:20.170| support.cc(1743) readSslX509CertificatesChain:
Certificate is self-signed, will not be chained
I get the below when I don't specify a CA with curl, otherwise when I do
I get no error:
2015/05/25 09:21:02.229| Error negotiating SSL connection on FD 12:
error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0)

And from the client side:
root at kali:~/test# curl -v https://mail.slave-tothe-box.net
* About to connect() to proxy 192.168.1.9 port 3129 (#0)
*   Trying 192.168.1.9...
* connected
* Connected to 192.168.1.9 (192.168.1.9) port 3129 (#0)
* Establish HTTP proxy tunnel to mail.slave-tothe-box.net:443
> CONNECT mail.slave-tothe-box.net:443 HTTP/1.1
> Host: mail.slave-tothe-box.net:443
> User-Agent: curl/7.26.0
> Proxy-Connection: Keep-Alive
> 
* Easy mode waiting response from proxy CONNECT
< HTTP/1.1 200 Connection established
< 
* Proxy replied OK to CONNECT request
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: self signed certificate in certificate chain
* Closing connection #0

And testing with specifying the .der file:
root at kali:~/test# curl --cacert /etc/ssl/certs/SquidCA.der -v
https://mail.slave-tothe-box.net
* About to connect() to proxy 192.168.1.9 port 3129 (#0)
*   Trying 192.168.1.9...
* connected
* Connected to 192.168.1.9 (192.168.1.9) port 3129 (#0)
* Establish HTTP proxy tunnel to mail.slave-tothe-box.net:443
> CONNECT mail.slave-tothe-box.net:443 HTTP/1.1
> Host: mail.slave-tothe-box.net:443
> User-Agent: curl/7.26.0
> Proxy-Connection: Keep-Alive
> 
* Easy mode waiting response from proxy CONNECT
< HTTP/1.1 200 Connection established
< 
* Proxy replied OK to CONNECT request
* error setting certificate verify locations:
  CAfile: /etc/ssl/certs/SquidCA.der
  CApath: /etc/ssl/certs

* Closing connection #0
curl: (77) error setting certificate verify locations:
  CAfile: /etc/ssl/certs/SquidCA.der
  CApath: /etc/ssl/certs


I can confirm that the server is using a bona-fide certificate issued
from StartSSL and works, so at this point I'm open to suggestions.
Thank you.

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150525/926713f8/attachment.html>


More information about the squid-users mailing list