|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Ah, misunderstand. Error you got means that target server certificate's CA is not visible by Squid. Or for client. Huh. :) I had thought that Squid suddenly turned into a hackware :))))))))))) 25.05.15 22:26, James Lay пишет: > So following advice and instructions on this page: > > http://wiki.squid-cache.org/Features/DynamicSslCert > > I have set up my lab with explicit proxy by exporting http_proxy and > https_proxy. After creating the self-signed root CA certificate above > and creating the .der file for the client, here are my results: > > From the squid side: > 2015/05/25 10:02:20.161| Using certificate > in /opt/etc/squid/certs/SquidCA.pem > 2015/05/25 10:02:20.170| support.cc(1743) readSslX509CertificatesChain: > Certificate is self-signed, will not be chained > I get the below when I don't specify a CA with curl, otherwise when I do > I get no error: > 2015/05/25 09:21:02.229| Error negotiating SSL connection on FD 12: > error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0) > > And from the client side: > root@kali:~/test# curl -v https://mail.slave-tothe-box.net > * About to connect() to proxy 192.168.1.9 port 3129 (#0) > * Trying 192.168.1.9... > * connected > * Connected to 192.168.1.9 (192.168.1.9) port 3129 (#0) > * Establish HTTP proxy tunnel to mail.slave-tothe-box.net:443 >> CONNECT mail.slave-tothe-box.net:443 HTTP/1.1 >> Host: mail.slave-tothe-box.net:443 >> User-Agent: curl/7.26.0 >> Proxy-Connection: Keep-Alive >> > * Easy mode waiting response from proxy CONNECT > < HTTP/1.1 200 Connection established > < > * Proxy replied OK to CONNECT request > * successfully set certificate verify locations: > * CAfile: none > CApath: /etc/ssl/certs > * SSLv3, TLS handshake, Client hello (1): > * SSLv3, TLS handshake, Server hello (2): > * SSLv3, TLS handshake, CERT (11): > * SSLv3, TLS alert, Server hello (2): > * SSL certificate problem: self signed certificate in certificate chain > * Closing connection #0 > > And testing with specifying the .der file: > root@kali:~/test# curl --cacert /etc/ssl/certs/SquidCA.der -v > https://mail.slave-tothe-box.net > * About to connect() to proxy 192.168.1.9 port 3129 (#0) > * Trying 192.168.1.9... > * connected > * Connected to 192.168.1.9 (192.168.1.9) port 3129 (#0) > * Establish HTTP proxy tunnel to mail.slave-tothe-box.net:443 >> CONNECT mail.slave-tothe-box.net:443 HTTP/1.1 >> Host: mail.slave-tothe-box.net:443 >> User-Agent: curl/7.26.0 >> Proxy-Connection: Keep-Alive >> > * Easy mode waiting response from proxy CONNECT > < HTTP/1.1 200 Connection established > < > * Proxy replied OK to CONNECT request > * error setting certificate verify locations: > CAfile: /etc/ssl/certs/SquidCA.der > CApath: /etc/ssl/certs > > * Closing connection #0 > curl: (77) error setting certificate verify locations: > CAfile: /etc/ssl/certs/SquidCA.der > CApath: /etc/ssl/certs > > > I can confirm that the server is using a bona-fide certificate issued > from StartSSL and works, so at this point I'm open to suggestions. > Thank you. > > James > > > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJVY1PuAAoJENNXIZxhPexG9WoH/09V9BB8VzXFGiJK/Sa3q29x NdsaVmgS0SvytG+0aiVowJ4c6qf+IiEuqJiS6ymcBphPdVuvnY4pNcjpNA1Ke0AR Kvm1KWswvSXyZvrVC4zo4Vsqd1pKFY9XBcy8N/S7l61DSsrPQfChXL0w5E2DPJ7I fM9PvzDglshT7o1fNnfKObVsvo/CtNXJ8tc/pS78uZTeECW55QjhY55IAaQAUI2V /uAyxxE7H73+qAlxlGHDVRzIcEN8wx/bqhVcMPNOoDy47PvN0W7XtW8EgPcOO6ej lwDsmPrW8GhLhSWHe003aqQV0BJ8cSSjrL0HooQEyD5iTUfZUQLBKkE+0+XPZRE= =Zb+F -----END PGP SIGNATURE----- |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
