Hi there,
I am attempting to configure Squid (proxy) with a Free Startcom SSL certificate. My goal is to have client requests (http and https) to be proxied between squid and client over SSL. I know it'll break server certs from the legit servers :(
Squid recognises part of the SSL key chain, but not all of it. Finally it claims a level of the CA is self-signed.
The Apache host I have uses this, so I have used it as a source of inspiration.
SSLCertificateFile /etc/ssl/private/example.co.uk.ssl.crt
SSLCertificateKeyFile /etc/ssl/private/example.co.uk.nopassphase_ssl.key
SSLCertificateChainFile /etc/ssl/certs/startcomIntermediateCA.pem
SSLCACertificateFile /etc/ssl/certs/startcomCA.pem
The config has this:
https_port 62.123.123.123:8055 key=/etc/ssl/private/example.co.uk.nopassphase_ssl.key cert=/etc/ssl/private/example.co.uk.ssl.crt cafile=/etc/ssl/certs/startcom_combinedCA_and_Intermediate.pem defaultsite=webtest.example.co.uk options=NO_SSLv2 sslflags=NO_SESSION_REUSE
The cafile is actually the combined SSLCertificateChainFile and SSLCACertificateFile file from the Apache vhost. I have tried changing the order of the contained keys in vain hope it would make a difference, which it didn't.
I have tried the https_port with sslflags=NO_DEFAULT_CA,NO_SESSION_REUSE with no noticeable effect.
Here is what I get:
# openssl s_client -connect 62.123.123.123:8055
CONNECTED(00000003)
depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/description=328815-ueN64BIOcLRJ4ldH/C=AU/O=Persona Not Validated/OU=StartCom Free Certificate Member/CN=webtest.example.co.uk/emailAddress=webmaster@xxxxxxxxxxxxx
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHzD [SNIP]
y3UmvlByGsMzrhmhIQqk52J9Hu5HXb5hiEGM1aOi8QM=
-----END CERTIFICATE-----
subject=/description=328815-ueN64BIOcLRJ4ldH/C=AU/O=Persona Not Validated/OU=StartCom Free Certificate Member/CN=webtest.example.co.uk/emailAddress=webmaster@xxxxxxxxxxxxx
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
---
No client certificate CA names sent
---
SSL handshake has read 5732 bytes and written 703 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID:
Session-ID-ctx:
Master-Key: A02CBA24C40B65FEB3C3A0CFC45C834E11FAF4F6AC7905A452FAA3C400DFE5DFC1783218180ECDA3CE2A083281D8909D
Key-Arg : None
Start Time: 1312457813
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
Obfuscation of IP and FQDNs in above examples.
Any ideas how I can get the CAs to be valid?
Best wishes,
S
