On 31/01/2013 4:47 p.m., John Xue wrote:
Hi,
I'm using ssl-bump in my forward proxy squid3.2.3, I try to access
https://centos.org, I get this error:
Firstly please upgrade to at least 3.2.6.
If possible please upgrade to squid-3.3 release series. They are
currently still in beta but work far better than 3.2 stable series does.
(71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
SSL Certficate error: certificate issuer (CA) not known:
/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com,
Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure
Certification Authority/serialNumber=07969287
But when I bypass proxy access this site in IE9, it's ok, so I
think the problem is ssl-bump proxy, no the untrust ssl certficate.
You are forging a certificate. Injecting it into the SSL traffic flow.
Decrypting that traffic flow. Then re-encrypting the outbound traffic
with a different client certificate.
"What could possibly go wrong?"
As it happens "certificate issuer (CA) not known" is happening.
Probably your CA key is not installed on that client machine.
This is my configure:
http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/cert.pem
key=/usr/local/squid/etc/key.pem
sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s
/usr/local/squid/var/ssl_db -M 4MB
--
Regards,
John Xue
