RE: SSLBump and intermedia CA Certificate.

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

On Wed, 22 Jun 2011 21:37:35 +0000, Ming Fu wrote:
> I am also interested in understanding the issue.
>
> Can squid send the certificate chain as a part of the negotiation?
> Apache is able to do that, so I think the underlining openssl is not
> the problem. This may require new configure option in the ssl_bump to
> tell squid where the certificate chain file is.

It is indeed possible.
The certificate generator is new and does not cover every possible 
situation of SSL. Patches welcome.

Amos

> Ming
>
>
> > -----Original Message-----
> > From: Lindsay Hill [mailto:lindsayh@xxxxxxxxxxxxxxxx]
> > Sent: Tuesday, June 07, 2011 11:31 PM
> > To: squid-users@xxxxxxxxxxxxxxx
> > Subject: Re:  SSLBump and intermedia CA Certificate.
> >
> > On 06/08/2011 02:52 PM, Amos Jeffries wrote:
> > > On Tue, 07 Jun 2011 11:54:52 +0200, Paweł Mojski wrote:
> > >> Hi all.
> > >>
> > >> Finally I successful implemented ssl-bump with dynamic 
> > certificate
> > >> generation feature.
> > >> But, I don't know how to configure squid to use intermediate ca
> > >> certificate.
> > >> I generated Root CA, then using Root CA i signed Intermediate CA
> > >> certificate and now, I want squid to use this Intermediate CA
> > >> Certificate while generating certs for https connections.
> > >> Then I want to import Root CA certificate into Windows PKI to 
> > solve
> > >> "Unknown CA" error while surfing https pages.
> > >> How can I do that?
> > >
> > > The client must have a full chain of trust from the root all the 
> > way
> > > down to the end certificate during the transactions. I think you 
> > may
> > > find that signing with an intermediate CA needs to install both 
> > the
> > > root and the intermediate public CA on the clients.
> > >
> > >
> > >> I'm looking around cafile, capath of ssl-bump options but nothing
> > >> works for me.
> > >
> > > http://wiki.squid-cache.org/Features/SslBump
> > >
> > > To squid there is only the cert PEM you told it to sign with.
> > >
> > > Amos
> > >
> >
> > This matches up with what I've seen so far with my testing - I 
> > thought I
> > might be able to get it to provide the full certificate chain to 
> > users,
> > by playing around with the cafile settings, but no joy. Since all my
> > browsers already trust my root CA, I thought that creating an
> > intermediate CA for use by Squid would be sufficient. But no, I've 
> > had
> > to install the intermediate CA on my browsers too. Feature request I
> > guess?
> >
> >   - Lindsay