2010/12/23 Henrik Nordström <henrik@xxxxxxxxxxxxxxxxxxx>: > tor 2010-12-23 klockan 11:52 -0800 skrev Alex Ray: >> I've written an ad-hoc bash script, ssl_srtd_ca, that acts like the >> following, but doesn't work when dropped-in. Is there some sort of >> spec on how ssl_crtd communicates? > > src/ssl/ssl_crtd.cc is the closest to a spec I think. > > why did you need to write another helper? You can specify a signing CA > by using the cert= and key= options to http_port in combination with > generate-host-certificates. > > Regards > Henrik > > When I specify cert and key, then the cert that gets passed doesn't match the website being loaded. If I do it like this, I end up with merely self-signed certificates and not certificates signed by my CA: http_port 3128 ssl-bump generate-host-certificates=on cert=/etc/ssl/ca/cacert.pem key=/etc/ssl/ca/private/cakey.pem (it prompts for my password and such, so it is reading those pem's correctly). Right now my ssl_crtd_ca does indeed generate the correct key/certificate, signed by my CA and matching the website being loaded, but it doesn't work dynamically. What it prints off can be copied into PEMs and loaded manually and then the site in question works, but it complains about 2010/12/23 13:54:55 kid1| Closing SSL FD 10 as lacking SSL context in the cache.log, and in a browser bounces between Looking Up and Waiting For.
