[squid-users] Is there a way on client to show proxy's certificate?

Amos Jeffries squid3 at treenet.co.nz
Tue Dec 24 01:49:55 UTC 2019


On 24/12/19 7:55 am, GeorgeShen wrote:
> 
>>> actually doing "openssl s_client -proxy 192.168.1.35:3129 -connect
>>> <host:port> -showcerts ",
>>> noticed two of the three certs from that display is from the proxy server
>>> I
>>> think. the first one
>>> is the modified host cert. maybe that's the way to get proxy server's
>>> certs.
>>>
> 
>> You are using SSL-Bump. There is no "proxy cert" in these connections.
>> There is only client cert (optional) and server cert (possibly modified
>> by Squid, with CA chain).
>>
>> What you see there is what exists in the traffic.
> 
> Sorry, but when I run the above openssl command, I do get three certs, first
> one is
> the modified server cert, the 2nd and third certs are the squid proxy's
> certs.

No. You receive a server cert and the CA chain required to validate that
server cert.

Stop thinking of certs as belonging to the proxy. It seems to be
confusing you. All 3 certs can be called "the proxy's certs" and yet
none of them is a "proxy cert" in TLS definitions.

Amos


More information about the squid-users mailing list