[squid-users] ssl_bump with intermediate CA
senor
frio_cervesa at hotmail.com
Thu Jan 5 23:40:29 UTC 2017
Hello All.
I'd like clarification of the documentation at
http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpWithIntermediateCA
In section "CA certificate preparation" it is stated that a file should
be created with "intermediate CA2 followed by root CA1 in PEM format".
CA1 is the cert trusted by the clients. CA2 is used to sign the mimicked
certs. And finally the statement "Now Squid can send the intermediate
CA2 public key with root CA1 to client and does not need to install
intermediate CA2 to clients."
The specification states that the clients MUST NOT use CA1 provided in
the TLS exchange. CA1 must be (and in this scenario is) already included
in its trusted store of CAs.
As I understand it, the TLS exchange with the client for a bumped
connection should have the mimicked server cert followed by the
intermediate cert (CA2) and that's all. The client completes the chain
with the already trusted CA1.
The example file created is used for cafile= option to http_port which
is supposed to be for verifying client certs which is not part of this
scenario.
This is getting a little long-winded so I'll wait to see what anyone has
to say about my assumptions or understanding.
Thanks,
Senor
More information about the squid-users
mailing list