[squid-users] https_port and capath

Amos Jeffries squid3 at treenet.co.nz
Tue Apr 4 06:21:47 UTC 2017


On 29/03/2017 11:07 a.m., senor wrote:
> Previous questions on this list referred to using the capath= option
> to https_port directive to fill in certificates missing in the chain
> to the Root CA trusted by the clients. I can not seem to get that to
> work.
> 
> I see no error in parsing even with debug on (debug section 3,9). The
> directive is read and no error produced but also no hint that the
> file pointed to by capath is used for anything. The SSL negotiation
> is not changed. The same 2 certs are passed. Just the signing cert
> and the signed cert.
>
> directive:
> https_port 192.168.12.10:8443 intercept ssl-bump \
>  cert=/etc/squid/mitm.crt key=/etc/squid/mitm.key \
>  cafile=/etc/squid/mitm_chain.crt generate-host-certificates=on \
>  dynamic_cert_mem_cache_size=32MB name=mitm
> 
> The RootCA.crt is trusted by clients.
> The Root CA signed intermediate1
> Intermediate1 signed intermediate2
> cert=intermediate2
> cafile=intermediate1
> 
> This command succeeds:
> openssl verify -CAfile RootCA.crt -untrusted intermediate1.crt intermediateL2.crt
> If the untrusted intermediate1 is added to client the MITM works.
> 
> I realize this wouldn't be used very often and I'd prefer not using it myself but it is necessary in this case. 
> Any hints?

The cert= and key= parameters are used by the cert generator.

The cafile= parameter and the generator output are used by the
verification and maybe sent to the client.

So your PEM file in *both* cert= and cafile= need to contain the whole
chain of intermediates.

Amos


More information about the squid-users mailing list