[squid-users] Ssl-bump deep dive (self-signed certs in chain)

Yuri Voinov yvoinov at gmail.com
Mon May 25 16:55:10 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 
Ah, misunderstand.

Error you got means that target server certificate's CA is not visible
by Squid. Or for client.

Huh. :) I had thought that Squid suddenly turned into a hackware
:)))))))))))

25.05.15 22:26, James Lay пишет:
> So following advice and instructions on this page:
>
> http://wiki.squid-cache.org/Features/DynamicSslCert
>
> I have set up my lab with explicit proxy by exporting http_proxy and
> https_proxy.  After creating the self-signed root CA certificate above
> and creating the .der file for the client, here are my results:
>
> From the squid side:
> 2015/05/25 10:02:20.161| Using certificate
> in /opt/etc/squid/certs/SquidCA.pem
> 2015/05/25 10:02:20.170| support.cc(1743) readSslX509CertificatesChain:
> Certificate is self-signed, will not be chained
> I get the below when I don't specify a CA with curl, otherwise when I do
> I get no error:
> 2015/05/25 09:21:02.229| Error negotiating SSL connection on FD 12:
> error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0)
>
> And from the client side:
> root at kali:~/test# curl -v https://mail.slave-tothe-box.net
> * About to connect() to proxy 192.168.1.9 port 3129 (#0)
> *   Trying 192.168.1.9...
> * connected
> * Connected to 192.168.1.9 (192.168.1.9) port 3129 (#0)
> * Establish HTTP proxy tunnel to mail.slave-tothe-box.net:443
>> CONNECT mail.slave-tothe-box.net:443 HTTP/1.1
>> Host: mail.slave-tothe-box.net:443
>> User-Agent: curl/7.26.0
>> Proxy-Connection: Keep-Alive
>>
> * Easy mode waiting response from proxy CONNECT
> < HTTP/1.1 200 Connection established
> <
> * Proxy replied OK to CONNECT request
> * successfully set certificate verify locations:
> *   CAfile: none
>   CApath: /etc/ssl/certs
> * SSLv3, TLS handshake, Client hello (1):
> * SSLv3, TLS handshake, Server hello (2):
> * SSLv3, TLS handshake, CERT (11):
> * SSLv3, TLS alert, Server hello (2):
> * SSL certificate problem: self signed certificate in certificate chain
> * Closing connection #0
>
> And testing with specifying the .der file:
> root at kali:~/test# curl --cacert /etc/ssl/certs/SquidCA.der -v
> https://mail.slave-tothe-box.net
> * About to connect() to proxy 192.168.1.9 port 3129 (#0)
> *   Trying 192.168.1.9...
> * connected
> * Connected to 192.168.1.9 (192.168.1.9) port 3129 (#0)
> * Establish HTTP proxy tunnel to mail.slave-tothe-box.net:443
>> CONNECT mail.slave-tothe-box.net:443 HTTP/1.1
>> Host: mail.slave-tothe-box.net:443
>> User-Agent: curl/7.26.0
>> Proxy-Connection: Keep-Alive
>>
> * Easy mode waiting response from proxy CONNECT
> < HTTP/1.1 200 Connection established
> <
> * Proxy replied OK to CONNECT request
> * error setting certificate verify locations:
>   CAfile: /etc/ssl/certs/SquidCA.der
>   CApath: /etc/ssl/certs
>
> * Closing connection #0
> curl: (77) error setting certificate verify locations:
>   CAfile: /etc/ssl/certs/SquidCA.der
>   CApath: /etc/ssl/certs
>
>
> I can confirm that the server is using a bona-fide certificate issued
> from StartSSL and works, so at this point I'm open to suggestions.
> Thank you.
>
> James
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBCAAGBQJVY1PuAAoJENNXIZxhPexG9WoH/09V9BB8VzXFGiJK/Sa3q29x
NdsaVmgS0SvytG+0aiVowJ4c6qf+IiEuqJiS6ymcBphPdVuvnY4pNcjpNA1Ke0AR
Kvm1KWswvSXyZvrVC4zo4Vsqd1pKFY9XBcy8N/S7l61DSsrPQfChXL0w5E2DPJ7I
fM9PvzDglshT7o1fNnfKObVsvo/CtNXJ8tc/pS78uZTeECW55QjhY55IAaQAUI2V
/uAyxxE7H73+qAlxlGHDVRzIcEN8wx/bqhVcMPNOoDy47PvN0W7XtW8EgPcOO6ej
lwDsmPrW8GhLhSWHe003aqQV0BJ8cSSjrL0HooQEyD5iTUfZUQLBKkE+0+XPZRE=
=Zb+F
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150525/478bdbf9/attachment-0001.html>


More information about the squid-users mailing list