-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 27/11/2014 6:45 a.m., HaxNobody wrote: > Alright, I figured out a possible cause. I downloaded the > certificate that the browsers were complaining about, and used > openssl verify to verify against the root certificate that I have. > I got error 20, indicating that squid must not be using the correct > root certificate to generate the client certificate on the fly, or > that it is being generated incorrectly. The generated certificate > shows all the correct properties of the root certificate that I am > using, so my conclusion is that squid is incorrectly generating the > client certificate. > > Question: Under what circumstances might squid incorrectly generate > a bump certificate? In all circumstances involving client-first bumping, or a bug in Squid. Other circumstances depend on your definitinon of "correct". Squid 3.3+ will mimic certificates *including errors* delivered by servers. Also, Squid does not generate client certificates. It generates server certificates. I assume that is what you are talking about. > Another question: Why might it be working when I use a different > root certificate? a) possibly the client trusts only one out of the two root certificates. b) possibly the non-working certificate is not properly installed in the client. c) possibly the non-trusted root certificate is part of a chain which the client is not able to locate all the pieces for (leading to 'a'). d) possibly the root certificate has key extensions or usage restrictions prohibiting what Squid usage requires (leading to 'a'). You will need to get a content dump of the certificates emitted by Squid and a working system to see what the difference(s) are. Amos -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUerWgAAoJELJo5wb/XPRjOnoH/ROsdsAnwe837rrCSgvmlb7N y51KKl6axftQZs6HQKToYNZ4BkB1Hzgpn5mPxT9NlsbQm8yRGA42mhjHOWvJX4R7 WEsW6OlF+HNd/FVhahkJHSGmS/isSKRCK0B5fXuq0KX3dnTrZz6/53oNYXMXeyl+ j89d9JHSKUPVmvtEUfLEPYW5VDmaZfcmFL8WkUQ7Hi/ZOubnbL5gQPr67DF0r6qE maZucqIHs5j0xP3ItLbcOxZQ5iCjmTmyNrxh0gyjZ3/OOTp1qpyRZQ6UPGqtnswt UIGPgvayerMDNN+rAp82qZyLm70A4mmcHVY42d6haG4hGWb/WweEEhCZm6wS/TI= =+5Ty -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users