[squid-users] ssl_bump with intermediate CA
Bruce Rosenberg
bruce.rosenberg.au at gmail.com
Fri Jan 6 00:57:08 UTC 2017
The cafile option specifies the "chain" file squid should send back to the
client along with the cert, exactly as you would normally do with Apache
httpd or Nginx.
In the example the generated server cert is depth 0, CA2 is depth 1 and CA1
is depth 2.
If the client has CA1 installed as a trust anchor then technically you
don't need to send CA1 as it is discarded by the client once the trust
relationship for CA2 is established.
It's good practice to send the full chain though as it makes
troubleshooting easier.
>From a client perspective you can quickly grab the whole chain with openssl
s_client and check if CA1 is in the trust store.
On Fri, Jan 6, 2017 at 10:40 AM, senor <frio_cervesa at hotmail.com> wrote:
> Hello All.
> I'd like clarification of the documentation at
> http://wiki.squid-cache.org/ConfigExamples/Intercept/
> SslBumpWithIntermediateCA
>
> In section "CA certificate preparation" it is stated that a file should
> be created with "intermediate CA2 followed by root CA1 in PEM format".
> CA1 is the cert trusted by the clients. CA2 is used to sign the mimicked
> certs. And finally the statement "Now Squid can send the intermediate
> CA2 public key with root CA1 to client and does not need to install
> intermediate CA2 to clients."
>
> The specification states that the clients MUST NOT use CA1 provided in
> the TLS exchange. CA1 must be (and in this scenario is) already included
> in its trusted store of CAs.
>
> As I understand it, the TLS exchange with the client for a bumped
> connection should have the mimicked server cert followed by the
> intermediate cert (CA2) and that's all. The client completes the chain
> with the already trusted CA1.
>
> The example file created is used for cafile= option to http_port which
> is supposed to be for verifying client certs which is not part of this
> scenario.
>
> This is getting a little long-winded so I'll wait to see what anyone has
> to say about my assumptions or understanding.
>
> Thanks,
> Senor
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170106/c128e4a3/attachment.html>
More information about the squid-users
mailing list