[squid-users] SSLBUMP certificate verify failed
Amos Jeffries
squid3 at treenet.co.nz
Tue Jan 19 00:02:31 UTC 2016
On 18/01/2016 10:13 a.m., Roman Gelfand wrote:
> I am not sure where I am going wrong here...
>
>
> ssl bump certificate
> openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -keyout
> squidCA.pem -out squidCA.pem
>
> The der certificate was generated and deployed on client computer trusted
> root
> openssl x509 -in squidCA.pem -outform DER -out squidCA.der
>
>
> squid.conf
> http_port 3128 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/usr/local/ssl_cert/squidCA.pem
>
What makes you think the squid-to-client certificate details have
anything to do with the server-to-squid certificate failing to verify?
Your issue is probably:
* outdated Trusted CAs installed on the Squid machine, and/or
* the certificate the server is presenting to Squid being invalid, and/or
* the certificate chain being presented by the server being icomplete,
and/or
* non-TLS response coming back to Squid from the server, and/or
* someone else MITM'ing the connection upstream of Squid.
Amos
More information about the squid-users
mailing list