[squid-users] ssl_bump with intermediate CA

Garri Djavadyan garryd at comnet.uz
Fri Jan 6 04:33:11 UTC 2017


On Thu, 2017-01-05 at 23:40 +0000, senor wrote:
> Hello All.
> I'd like clarification of the documentation at
> http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpWithInter
> mediateCA
> 
> In section "CA certificate preparation" it is stated that a file
> should
> be created with "intermediate CA2 followed by root CA1 in PEM
> format".
> CA1 is the cert trusted by the clients. CA2 is used to sign the
> mimicked
> certs. And finally the statement "Now Squid can send the intermediate
> CA2 public key with root CA1 to client and does not need to install
> intermediate CA2 to clients."
> 
> The specification states that the clients MUST NOT use CA1 provided
> in
> the TLS exchange. CA1 must be (and in this scenario is) already
> included
> in its trusted store of CAs.
> 
> As I understand it, the TLS exchange with the client for a bumped
> connection should have the mimicked server cert followed by the
> intermediate cert (CA2) and that's all. The client completes the
> chain
> with the already trusted CA1.
> 
> The example file created is used for cafile= option to http_port
> which
> is supposed to be for verifying client certs which is not part of
> this
> scenario.
> 
> This is getting a little long-winded so I'll wait to see what anyone
> has
> to say about my assumptions or understanding.
> 
> Thanks,
> Senor

Hi Senor,

You are right, it is not required to send root CA cert to a client. It
is already installed in client's cert store. You can find more details
in bug report 3426 [1] (comments 11 and 13).

[1] http://bugs.squid-cache.org/show_bug.cgi?id=3426


Garri


More information about the squid-users mailing list