http://wiki.squid-cache.org/Features/DynamicSslCert
I have set up my lab with explicit proxy by exporting http_proxy and https_proxy. After creating the self-signed root CA certificate above and creating the .der file for the client, here are my results:
>From the squid side:
2015/05/25 10:02:20.161| Using certificate in /opt/etc/squid/certs/SquidCA.pem
2015/05/25 10:02:20.170| support.cc(1743) readSslX509CertificatesChain: Certificate is self-signed, will not be chained
I get the below when I don't specify a CA with curl, otherwise when I do I get no error:
2015/05/25 09:21:02.229| Error negotiating SSL connection on FD 12: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0)
And from the client side:
root@kali:~/test# curl -v https://mail.slave-tothe-box.net
* About to connect() to proxy 192.168.1.9 port 3129 (#0)
* Trying 192.168.1.9...
* connected
* Connected to 192.168.1.9 (192.168.1.9) port 3129 (#0)
* Establish HTTP proxy tunnel to mail.slave-tothe-box.net:443
> CONNECT mail.slave-tothe-box.net:443 HTTP/1.1
> Host: mail.slave-tothe-box.net:443
> User-Agent: curl/7.26.0
> Proxy-Connection: Keep-Alive
>
* Easy mode waiting response from proxy CONNECT
< HTTP/1.1 200 Connection established
<
* Proxy replied OK to CONNECT request
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: self signed certificate in certificate chain
* Closing connection #0
And testing with specifying the .der file:
root@kali:~/test# curl --cacert /etc/ssl/certs/SquidCA.der -v https://mail.slave-tothe-box.net
* About to connect() to proxy 192.168.1.9 port 3129 (#0)
* Trying 192.168.1.9...
* connected
* Connected to 192.168.1.9 (192.168.1.9) port 3129 (#0)
* Establish HTTP proxy tunnel to mail.slave-tothe-box.net:443
> CONNECT mail.slave-tothe-box.net:443 HTTP/1.1
> Host: mail.slave-tothe-box.net:443
> User-Agent: curl/7.26.0
> Proxy-Connection: Keep-Alive
>
* Easy mode waiting response from proxy CONNECT
< HTTP/1.1 200 Connection established
<
* Proxy replied OK to CONNECT request
* error setting certificate verify locations:
CAfile: /etc/ssl/certs/SquidCA.der
CApath: /etc/ssl/certs
* Closing connection #0
curl: (77) error setting certificate verify locations:
CAfile: /etc/ssl/certs/SquidCA.der
CApath: /etc/ssl/certs
I can confirm that the server is using a bona-fide certificate issued from StartSSL and works, so at this point I'm open to suggestions. Thank you.
James
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
