[squid-users] Trusted first verification regarding cross root cert

[Amos Jeffries]

On 27/06/20 7:07 pm, mikio.kishi wrote:
> Hi all,
> 
> I am currently using sslbump feature. Sometimes, squid failed to verify
> a https web site with
> cross root cert. On the other hand, the site is accessible directly from
> major web browsers,
> such as chrome and firefox. I am guessing that the cert verification
> handling of the current
> sslbump seems to be NOT trusted_first mode. Are there any solutions to
> change to trusted_first
> verification mode for squid ?
> 

Solutions based purely on guesswork are unlikely to work.


Missing information:

 * Squid version

 * details of the chain being delivered to Squid

 * details of the expected cross-signing chain(s).

 * by "trusted_first mode" do you mean TOFU or something else?


Squid supports a helper, which can to do any type of validation -
including none. BUT ... you first need to eliminate the guesses to see
if it is a validation or something completely unexpected.


Amos