On 05/08/11 00:46, J4K wrote:
Hi there,
I am attempting to configure Squid (proxy) with a Free Startcom SSL certificate. My goal is to have client requests (http and https) to be proxied between squid and client over SSL. I know it'll break server certs from the legit servers :(
What makes you think that?
forward-proxy:
double-encrypting is possible and likely the best way to go about
this. Most browsers today simply wont talk SSL when contacting a proxy.
But will happily talk over an SSL tunnel to a proxy, similar to a proxy
over a VPN link.
reverse-proxy:
the squid gateway _is_ the origin server from the browsers viewpoint.
Using a certificate is right there and will not cause problems.
Squid recognises part of the SSL key chain, but not all of it. Finally it claims a level of the CA is self-signed.
The Apache host I have uses this, so I have used it as a source of inspiration.
SSLCertificateFile /etc/ssl/private/example.co.uk.ssl.crt
SSLCertificateKeyFile /etc/ssl/private/example.co.uk.nopassphase_ssl.key
SSLCertificateChainFile /etc/ssl/certs/startcomIntermediateCA.pem
SSLCACertificateFile /etc/ssl/certs/startcomCA.pem
The config has this:
https_port 62.123.123.123:8055 key=/etc/ssl/private/example.co.uk.nopassphase_ssl.key cert=/etc/ssl/private/example.co.uk.ssl.crt cafile=/etc/ssl/certs/startcom_combinedCA_and_Intermediate.pem defaultsite=webtest.example.co.uk options=NO_SSLv2 sslflags=NO_SESSION_REUSE
The cafile is actually the combined SSLCertificateChainFile and SSLCACertificateFile file from the Apache vhost. I have tried changing the order of the contained keys in vain hope it would make a difference, which it didn't.
I have tried the https_port with sslflags=NO_DEFAULT_CA,NO_SESSION_REUSE with no noticeable effect.
Here is what I get:
# openssl s_client -connect 62.123.123.123:8055
CONNECTED(00000003)
depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/description=328815-ueN64BIOcLRJ4ldH/C=AU/O=Persona Not Validated/OU=StartCom Free Certificate Member/CN=webtest.example.co.uk/emailAddress=webmaster@xxxxxxxxxxxxx
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHzD [SNIP]
y3UmvlByGsMzrhmhIQqk52J9Hu5HXb5hiEGM1aOi8QM=
-----END CERTIFICATE-----
subject=/description=328815-ueN64BIOcLRJ4ldH/C=AU/O=Persona Not Validated/OU=StartCom Free Certificate Member/CN=webtest.example.co.uk/emailAddress=webmaster@xxxxxxxxxxxxx
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
---
No client certificate CA names sent
---
SSL handshake has read 5732 bytes and written 703 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID:
Session-ID-ctx:
Master-Key: A02CBA24C40B65FEB3C3A0CFC45C834E11FAF4F6AC7905A452FAA3C400DFE5DFC1783218180ECDA3CE2A083281D8909D
Key-Arg : None
Start Time: 1312457813
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
Obfuscation of IP and FQDNs in above examples.
Any ideas how I can get the CAs to be valid?
That config should work, and the details do appear to all arrive in the
openssl tool for use. So that part seems right.
The only cert in that chain which is self-signed is the main "StartCom
Certification Authority" certificate.
Is your CA certs base information up to date?
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.14
Beta testers wanted for 3.2.0.10
