Hey All, I am trying to use the dynamic SSL certificate generation in 3.3. My squid setup is an interception proxy setup. So dynamic generation in interception is only possible after bump-server first available in 3.3. I have added the Root CA certificate(generated by myself) to the browser. The problem is that squid is still giving the same certificate to the client which causes warnings on the browser. By same i mean the certificate that i created my self which does not have the correct destination domain. Looking at the presented certificate in the browser, i can see the fields that i used to create the certificate. Effectively this means that dynamic certificate generation is not working. Also certificates are supposed to be cached in the ssl_db by the sslcrt_program. There are no certificates being generated in that path(/usr/local/squid-3.3/var/lib/ssl_db/certs). I can also see the 5 children of sslcrtd running. But seems they are not doing their job. My config is: https_port is the involved port since i am in interception mode. ############################################################################ ssl_bump allow all sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER ##DYnamic certificate portion sslcrtd_program /usr/local/squid-3.3/libexec/ssl_crtd -s /usr/local/squid-3.3/var/lib/ssl_db -M 4MB sslcrtd_children 5 http_port 192.168.8.40:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/home/talha/squid/www.sample.com.pem key=/home/talha/squid/www.sample.com.pem http_port 192.168.8.40:8080 https_port 192.168.8.40:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/home/talha/squid/www.sample.com.pem key=/home/talha/squid/www.sample.com.pem ############################################################################# I am getting these error in access.log for https sites (port 443 is being used as it is transparent-itnerception mode) 2012/04/26 13:12:59| clientNegotiateSSL: Error negotiating SSL connection on FD 14: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate (1/0) 2012/04/26 13:12:59| clientNegotiateSSL: Error negotiating SSL connection on FD 16: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate (1/0) 2012/04/26 13:12:59| clientNegotiateSSL: Error negotiating SSL connection on FD 25: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate (1/0) 2012/04/26 13:12:59| clientNegotiateSSL: Error negotiating SSL connection on FD 23: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate (1/0) Which certificate is bad? Any idea why dynamic generation is not working? Or why this bad certificate error? -- Regards, -Ahmed Talha Khan
