|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hm. Interesting. You want to say, you uses ordinal server certificate, signed with external trusted CA? And users can't see MiTM? 25.05.15 22:26, James Lay пишет: > So following advice and instructions on this page: > > http://wiki.squid-cache.org/Features/DynamicSslCert > > I have set up my lab with explicit proxy by exporting http_proxy and > https_proxy. After creating the self-signed root CA certificate above > and creating the .der file for the client, here are my results: > > From the squid side: > 2015/05/25 10:02:20.161| Using certificate > in /opt/etc/squid/certs/SquidCA.pem > 2015/05/25 10:02:20.170| support.cc(1743) readSslX509CertificatesChain: > Certificate is self-signed, will not be chained > I get the below when I don't specify a CA with curl, otherwise when I do > I get no error: > 2015/05/25 09:21:02.229| Error negotiating SSL connection on FD 12: > error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0) > > And from the client side: > root@kali:~/test# curl -v https://mail.slave-tothe-box.net > * About to connect() to proxy 192.168.1.9 port 3129 (#0) > * Trying 192.168.1.9... > * connected > * Connected to 192.168.1.9 (192.168.1.9) port 3129 (#0) > * Establish HTTP proxy tunnel to mail.slave-tothe-box.net:443 >> CONNECT mail.slave-tothe-box.net:443 HTTP/1.1 >> Host: mail.slave-tothe-box.net:443 >> User-Agent: curl/7.26.0 >> Proxy-Connection: Keep-Alive >> > * Easy mode waiting response from proxy CONNECT > < HTTP/1.1 200 Connection established > < > * Proxy replied OK to CONNECT request > * successfully set certificate verify locations: > * CAfile: none > CApath: /etc/ssl/certs > * SSLv3, TLS handshake, Client hello (1): > * SSLv3, TLS handshake, Server hello (2): > * SSLv3, TLS handshake, CERT (11): > * SSLv3, TLS alert, Server hello (2): > * SSL certificate problem: self signed certificate in certificate chain > * Closing connection #0 > > And testing with specifying the .der file: > root@kali:~/test# curl --cacert /etc/ssl/certs/SquidCA.der -v > https://mail.slave-tothe-box.net > * About to connect() to proxy 192.168.1.9 port 3129 (#0) > * Trying 192.168.1.9... > * connected > * Connected to 192.168.1.9 (192.168.1.9) port 3129 (#0) > * Establish HTTP proxy tunnel to mail.slave-tothe-box.net:443 >> CONNECT mail.slave-tothe-box.net:443 HTTP/1.1 >> Host: mail.slave-tothe-box.net:443 >> User-Agent: curl/7.26.0 >> Proxy-Connection: Keep-Alive >> > * Easy mode waiting response from proxy CONNECT > < HTTP/1.1 200 Connection established > < > * Proxy replied OK to CONNECT request > * error setting certificate verify locations: > CAfile: /etc/ssl/certs/SquidCA.der > CApath: /etc/ssl/certs > > * Closing connection #0 > curl: (77) error setting certificate verify locations: > CAfile: /etc/ssl/certs/SquidCA.der > CApath: /etc/ssl/certs > > > I can confirm that the server is using a bona-fide certificate issued > from StartSSL and works, so at this point I'm open to suggestions. > Thank you. > > James > > > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJVY1MBAAoJENNXIZxhPexGlcYH/2T/L153ynVqn3s9epC7Pwvv FxjHoamGMum6XJFooUZvQA0kaRzqhQSHduU0i6n4zWEowA4HgLkWrVeRrV/jXhxT CbcZ+KYrO+UAMxrB04r+b4WQl6OZFcoj0ne+WecsJqgH108GGyrA+at6ibvFVNLl ruiDntnH7fGuFV/o0J/hQfcxuHNDS7uND4iji7rSih2hIIET1ohG7EkppIaKwUAq DHA9PtNTmF27eCZuNFXVXxbAjXsRy9NYGC+rwzmFT0Sw2A8KCKl/XBBylu+IRJqv 0TscKQeb/LH9/Jkuh5v2KMLjGaoo7hyqY8q/sjnZVySYy2wKXuXolMbYb+vyla4= =XVIS -----END PGP SIGNATURE----- |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
