Hi Amos, I am trying to make the intermediate certs into the dynamic ssl connection. Based on the code, the "cert" entry of http_port configure is actually a cert chain file. So the configure does have enough info for the intermediate cert chain to work. What is missing is when the SSL_CTX is dynamically generated, it only added the resigned server cert without the chain of certs. My current difficulty is after I located the dynamic SSL_CTX context, how can I find the resigning cert chain defined in configure line http_port ..... cert=certfile.... Is it stored in some global? Regards, Ming > -----Original Message----- > From: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] > Sent: Wednesday, June 22, 2011 7:20 PM > To: squid-users@xxxxxxxxxxxxxxx > Subject: RE: SSLBump and intermedia CA Certificate. > > On Wed, 22 Jun 2011 21:37:35 +0000, Ming Fu wrote: > > I am also interested in understanding the issue. > > > > Can squid send the certificate chain as a part of the negotiation? > > Apache is able to do that, so I think the underlining openssl is not > > the problem. This may require new configure option in the ssl_bump to > > tell squid where the certificate chain file is. > > It is indeed possible. > The certificate generator is new and does not cover every possible > situation of SSL. Patches welcome. > > Amos > > > > > Ming > > > > > >> -----Original Message----- > >> From: Lindsay Hill [mailto:lindsayh@xxxxxxxxxxxxxxxx] > >> Sent: Tuesday, June 07, 2011 11:31 PM > >> To: squid-users@xxxxxxxxxxxxxxx > >> Subject: Re: SSLBump and intermedia CA Certificate. > >> > >> On 06/08/2011 02:52 PM, Amos Jeffries wrote: > >> > On Tue, 07 Jun 2011 11:54:52 +0200, Paweł Mojski wrote: > >> >> Hi all. > >> >> > >> >> Finally I successful implemented ssl-bump with dynamic > >> certificate > >> >> generation feature. > >> >> But, I don't know how to configure squid to use intermediate ca > >> >> certificate. > >> >> I generated Root CA, then using Root CA i signed Intermediate CA > >> >> certificate and now, I want squid to use this Intermediate CA > >> >> Certificate while generating certs for https connections. > >> >> Then I want to import Root CA certificate into Windows PKI to > >> solve > >> >> "Unknown CA" error while surfing https pages. > >> >> How can I do that? > >> > > >> > The client must have a full chain of trust from the root all the > >> way > >> > down to the end certificate during the transactions. I think you > >> may > >> > find that signing with an intermediate CA needs to install both > >> the > >> > root and the intermediate public CA on the clients. > >> > > >> > > >> >> I'm looking around cafile, capath of ssl-bump options but nothing > >> >> works for me. > >> > > >> > http://wiki.squid-cache.org/Features/SslBump > >> > > >> > To squid there is only the cert PEM you told it to sign with. > >> > > >> > Amos > >> > > >> > >> This matches up with what I've seen so far with my testing - I > >> thought I > >> might be able to get it to provide the full certificate chain to > >> users, > >> by playing around with the cafile settings, but no joy. Since all my > >> browsers already trust my root CA, I thought that creating an > >> intermediate CA for use by Squid would be sufficient. But no, I've > >> had > >> to install the intermediate CA on my browsers too. Feature request I > >> guess? > >> > >> - Lindsay
