Hi, The problem: after successful tests with a self-signed cert for sslbump, the idea is to use a "real" cert signed by a CA know in common browsers. Such a cert has a hierarchy "chain", i.e. the proxy cert is signed by a official CA, which is signed by a CA who's keys is in browsers. Support for such cert chaining was introduced in squid 3.2 I understand, but I've not had luck in getting it running so far :-( . See also http://bugs.squid-cache.org/show_bug.cgi?id=3426 Perhaps someone on squid-users has a few tips to help me understand if the issue is with my config, or the sslbump code. The Test environment: ----------------------------- Running the recent squid-3.2.0.14 tarball, on Ubuntu 10.04 A few debug options to try and see useful logs: debug_options ALL,1 83,8 23,2 84,5 sslcrtd_program /usr/local/squid/libexec/ssl_crtd -d -s /var/lib/squid_ssl_db -M 4MB The proxy's cert was generated by: - openssl genrsa -out proxy.vptt.ch.key 2048 - send to CA and get back a .crt file - create a file containing the private keys, signed public key, and public keys of the CA chain: cat proxy.cer proxy.pem proxy.key CA_1_pem.crt Root_CA_1_pem.crt > proxy.chain http_port 80 ssl-bump cert=/etc/squid/ssl/proxy.chain generate-host-certificates=on dynamic_cert_mem_cache_size=4MB Before starting, wipe all cached certs: /etc/init.d/squid stop \rm -rf /var/lib/squid_ssl_db /usr/local/squid/libexec/ssl_crtd -c -s /var/lib/squid_ssl_db chown -R proxy /var/lib/squid_ssl_db /etc/init.d/squid start Starting squid: ---------------- Having started squid, visit https://www.squid-cache.org, the browser (FF 8.0.1 on Windows) complains "www.squid-cache.org" uses an invalid security certificate" Asking the browser to show the cert details, one sees that the certificate hierarchy only has just one level, www.squid-cache.org signed by the proxy (i.e. no sign of the intermediate CAs). Analysis: ----------- Details logs are listed below, - sslbump is being activated, a new cert is generated for the destination website, and signed. Two public certs are visible in the logs: a) the proxy's cert, which when analysed (pasted to a file.crt and viewed under windows) contains a correct hierarchy proxy > CA1 >root_CA b) a cert for www.squid-cache.org, which is issued by the proxy, but does not contain hierarchy information. - the browser replies finally with "unknown ca" Any suggestions as to what I'm doing wrong, or what measures to take to debug in more detail? Thanks in advance, Sean ------ snip logs ---- 2011/12/13 13:08:55.564| Accepting SSL bumped HTTP Socket connections at local=[::]:80 remote=[::] FD 22 flags=9 2011/12/13 13:08:56| storeLateRelease: released 0 objects .. 2011/12/13 13:09:06.961| client_side_request.cc(1469) doCallouts: Doing calloutContext->hostHeaderVerify() 2011/12/13 13:09:06.962| client_side_request.cc(1476) doCallouts: Doing calloutContext->clientAccessCheck() 2011/12/13 13:09:06.963| urlParse: URI has whitespace: {icap://127.0.0.1:1344/squidclamav ICAP/1.0 } 2011/12/13 13:09:06.963| urlParse: URI has whitespace: {icap://127.0.0.1:1344/squidclamav ICAP/1.0 } 2011/12/13 13:09:06.967| client_side_request.cc(1505) doCallouts: Doing calloutContext->clientAccessCheck2() 2011/12/13 13:09:06.967| client_side_request.cc(1512) doCallouts: Doing clientInterpretRequestHeaders() 2011/12/13 13:09:06.967| client_side_request.cc(1344) sslBumpNeeded: sslBump required: Yes 2011/12/13 13:09:06.967| client_side_request.cc(1568) doCallouts: calling processRequest() 2011/12/13 13:09:06.967| GetFirstAvailable: Running servers 5 2011/12/13 13:09:06.967| helperDispatch: Request sent to ssl_crtd #1, 3739 bytes 2011/12/13 13:09:06.967| helperSubmit: new_certificate 3717 host=www.squid-cache.org -----BEGIN CERTIFICATE----- <proxy public cert: deleted> -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- .<deleted>. -----END RSA PRIVATE KEY----- 2011/12/13 13:09:07.034| helperHandleRead: 1885 bytes from ssl_crtd #1 2011/12/13 13:09:07.034| helperHandleRead: 'OK 1876 -----BEGIN CERTIFICATE----- MIICrDCCAZQCBAdgtFYwDQYJKoZIhvcNAQEFBQAwgZoxCzAJBgNVBAYTAkNIMQ0w CwYDVQQIEwRCZXJuMQ0wCwYDVQQHEwRCZXJuMRUwEwYDVQQKEwxTd2lzc2NvbSBM dGQxITAfBgNVBAsTGFN0cmF0ZWd5IGFuZCBJbm5vdmF0aW9uczEWMBQGA1UEAxMN cHJveHkudnB0dC5jaDEbMBkGCSqGSIb3DQEJARYMcm9vdEB2cHR0LmNoMB4XDTEx MTIxMTEyMDkwN1oXDTE0MTEyMzEzMjIzM1owHjEcMBoGA1UEAxMTd3d3LnNxdWlk LWNhY2hlLm9yZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAoNjuzSwl4Ri7 M1h7QiWAEWVGMUkPTxFP4Nl4+X6JvoZ6+dQ+Dprd/ng+o01j2ckq9Y7hKfjWpugd MthuRDGAbkd4alzmQwfEcoXoXr5wAkofBkxonXAwgHtpVXeDDkBpRxnpgYkxc2Jk Dkz0xvHRzxWTLZBM+LvTl9Yppyt9bUMCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEA nGlozvURpAhxk6S6zYqCryq3MZqHR6uJufzB5YVQW1VIGKTkmwlp3nb5zB3D54S6 jNHJq6enPNzxd9XiNM8NIukmgwacYWKiyPaPILTofASM/FezszGbBpZe0fOPzl78 CHG7s6g7tv9oSgjRZJuzEjaXqmxxcVo99rApnjeBB75atCh1RTPtikC2Y/paeGzO Dq1+ItQ9oVljd5D4DP13Kx9Tj/Y+OvVgAyOVyQcW7vi3pa9AKN1yOpieAe55AH71 hvCjlewZioAFJvFzX97ZsB9qi2gVsZin9BCmuUCeXHK91T8RvnXmpCF2W3qk4UHi QJHkll9Yv+GwNnNoJcXNVw== -----END CERTIFICATE----- .<deleted>. -----END RSA PRIVATE KEY----- ' 2011/12/13 13:09:07.034| helperHandleRead: end of reply found 2011/12/13 13:09:07.035| GetFirstAvailable: Running servers 5 2011/12/13 13:09:07.035| clientNegotiateSSL: Error negotiating SSL connection on FD 10: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0) ------ snip ----
