Hi! I'm update squid to 3.5.9, but nothing change. I'm use config with ... ssl_bump stare all ssl_bump bump all ... When I'm use ssl bump, squid not send certificate chain. Info from s_client with ssl_bump [sas@file01 ~]$ openssl s_client -connect google.ru:443 CONNECTED(00000003) depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = google.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = google.com verify error:num=27:certificate not trusted verify return:1 depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = google.com verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=google.com i:/C=RU/ST=VLG/O=HOME Ltd/OU=IT/CN=proxy02.home.lan --- Server certificate -----BEGIN CERTIFICATE----- MIId8TCCHVqgAwIBAgIUArbJgJ+rY/6iCYPIpI4Yh15iz8UwDQYJKoZIhvcNAQEL BQAwVjELMAkGA1UEBhMCUlUxDDAKBgNVBAgMA1ZMRzERMA8GA1UECgwISE9NRSBM .... BggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsF AAOBgQCaSYyvXjtbuS1ZGBnyQ4sDK/8jkjTapreBK2tJhzIaX8nt1r8nXTsNNDv+ 7zFbVA94Ax+gFwjRzU62mCWXoZ7IOSWDI/yZIR2yyYkVnBvd/Oe3JeoUyq+fhRkM qewa4S/C4sczmcGPyAuSJnX24YZiLoT4yi9HRZ8d+yFBCuFyYg== -----END CERTIFICATE----- subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=google.com issuer=/C=RU/ST=VLG/O=HOME Ltd/OU=IT/CN=proxy02.home.lan --- No client certificate CA names sent --- SSL handshake has read 7982 bytes and written 439 bytes --- New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384 Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : AES256-GCM-SHA384 Session-ID: FF52E1FA45A100529F290119DAF36E40BBE2E4D6CFA03D8310CA151D81934AF6 Session-ID-ctx: Master-Key: C0FE89EE352C1DB55C2E7DC067420E17DCC45949BDC06E26474994D7B0FBBB95549FE4B490EE6C6A34C8B7FD8C412AC3 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 67 f2 fd f6 1c a0 72 ef-27 c7 e0 8d bc 36 58 fd g.....r.'....6X. 0010 - 24 1e e0 26 92 55 18 c9-b9 d5 25 a2 be c8 b4 7f $..&.U....%..... 0020 - ac 0a 50 d5 f3 6a 75 38-1f 4f 34 16 6a 83 70 ec ..P..ju8.O4.j.p. 0030 - 19 e7 a0 3a 94 82 bc c8-1c 03 94 35 57 13 98 2d ...:.......5W..- 0040 - c9 ce c7 fe 5c f3 0e e6-33 97 1f 9d 39 c5 24 dd ....\...3...9.$. 0050 - 53 a5 49 10 03 5e 24 a6-fb d8 b3 4a 47 9d 8e e0 S.I..^$....JG... 0060 - 71 63 27 ba 69 e6 14 e5-98 c4 a7 24 0c e6 9b 6d qc'.i......$...m 0070 - bd c1 b6 31 ea 5c 3e 0b-5f 3b 47 75 66 e0 2e 22 ...1.\>._;Guf.." 0080 - 0e b0 42 0b 0d fc 13 c7-0d 00 ee 4a 5a cf 6f 35 ..B........JZ.o5 0090 - a2 01 d2 33 20 68 db 0a-b3 3f 6c 2b 1b 35 3f 9c ...3 h...?l+.5?. Start Time: 1443196400 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) With server-first [sas@file01 ~]$ openssl s_client -connect google.ru:443 CONNECTED(00000003) depth=3 C = RU, ST = VLG, L = VOLGOGRAD, O = HOME Ltd, OU = IT, CN = MAIN_CA verify return:1 depth=2 C = RU, ST = VLG, O = HOME Ltd, OU = IT, CN = SIGN-CA1 verify return:1 depth=1 C = RU, ST = VLG, O = HOME Ltd, OU = IT, CN = proxy02.home.lan verify return:1 depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = google.com verify return:1 --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=google.com i:/C=RU/ST=VLG/O=HOME Ltd/OU=IT/CN=proxy02.home.lan 1 s:/C=RU/ST=VLG/O=HOME Ltd/OU=IT/CN=proxy02.home.lan i:/C=RU/ST=VLG/O=HOME Ltd/OU=IT/CN=SIGN-CA1 2 s:/C=RU/ST=VLG/O=HOME Ltd/OU=IT/CN=SIGN-CA1 i:/C=RU/ST=VLG/L=VOLGOGRAD/O=HOME Ltd/OU=IT/CN=MAIN_CA 3 s:/C=RU/ST=VLG/L=VOLGOGRAD/O=HOME Ltd/OU=IT/CN=MAIN_CA i:/C=RU/ST=VLG/L=VOLGOGRAD/O=HOME Ltd/OU=IT/CN=MAIN_CA --- Server certificate -----BEGIN CERTIFICATE----- MIId8TCCHVqgAwIBAgIUArbJgJ+rY/6iCYPIpI4Yh15iz8UwDQYJKoZIhvcNAQEL BQAwVjELMAkGA1UEBhMCUlUxDDAKBgNVBAgMA1ZMRzERMA8GA1UECgwISE9NRSBM dGQxCzAJBgNVBAsMAklUMRkwFwYDVQQDDBBwcm94eTAyLmhvbWUubGFuMB4XDTE1 ... 7zFbVA94Ax+gFwjRzU62mCWXoZ7IOSWDI/yZIR2yyYkVnBvd/Oe3JeoUyq+fhRkM qewa4S/C4sczmcGPyAuSJnX24YZiLoT4yi9HRZ8d+yFBCuFyYg== -----END CERTIFICATE----- subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=google.com issuer=/C=RU/ST=VLG/O=HOME Ltd/OU=IT/CN=proxy02.home.lan --- No client certificate CA names sent --- SSL handshake has read 11366 bytes and written 439 bytes --- New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384 Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : AES256-GCM-SHA384 Session-ID: B391083BB8FFDA6544764FA23533A86098DF0DF75C25B720DA581BCF243FD96E Session-ID-ctx: Master-Key: 333F0DF78259BEB89D8F0F9D740B57A28932D80B285BDC15B37BF256950AEEBBA21BF657F2AA9F9D5E1BE9FE909B44A0 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - f7 4f a8 09 41 b8 8c 75-02 50 e0 46 11 b8 a1 23 .O..A..u.P.F...# 0010 - d5 44 70 ef 00 7e 3a 31-30 eb 15 51 34 24 f5 17 .Dp..~:10..Q4$.. 0020 - 2b 36 5f 36 1b dd f1 c1-d4 56 7c d1 73 ef eb af +6_6.....V|.s... 0030 - 00 36 a8 b9 50 29 1d eb-49 c1 c6 59 ac c8 5c 68 .6..P)..I..Y..\h 0040 - 96 ca 8a da eb 5e 77 6b-e0 7d c6 d5 ce a6 46 18 .....^wk.}....F. 0050 - 6f 07 eb 29 fc 60 3f 5b-63 3e 13 61 bd 24 c0 8a o..).`?[c>.a.$.. 0060 - a2 ce 1f a1 ca c9 5e 4f-11 b5 90 11 f4 df 90 5d ......^O.......] 0070 - 04 3b 88 c0 25 67 d1 37-2b 94 9a b2 0d 23 e7 2e .;..%g.7+....#.. 0080 - d6 47 aa 4e a7 a5 d6 51-91 2a b0 dc cd 7f b8 3f .G.N...Q.*.....? 0090 - f0 49 36 9c c8 63 aa 02-99 2f d0 ac ac 13 b4 7a .I6..c.../.....z Start Time: 1443196581 Timeout : 300 (sec) Verify return code: 0 (ok) PS In man ssl_crtd "Certificate chaining The version 1.0 of this helper will not add chained intermediate CA certificates. The client must have a full chain of trust from the root CA all the way down to the end certificate generated by this program. Signing with an intermediate CA needs to install both the root and the intermediate public CA on the clients." But I'm have question, how this do with server-first? -----Original Message----- From: Alex Rousskov [mailto:rousskov@xxxxxxxxxxxxxxxxxxxxxxx] Sent: Wednesday, September 23, 2015 6:05 PM To: squid-users@xxxxxxxxxxxxxxxxxxxxx Cc: Степаненко Сергей Subject: Re: SSL Bump in intercept mode On 09/23/2015 12:16 AM, Степаненко Сергей wrote: > My proxy certificate released by subca, i.e CA - SubCA - Proxy. > OS - Centos6.7, squid - 3.5.7 from www1.ngtech.co.il repo > ssl_bump stare all > ssl_bump bump all > ssl_bump splice all step3 Please note that the last "splice" rule will never match [in the latest Squids]. Other than being misleading about your true intent, this should not cause problems. Apart from the pointless splice rule, this is the configuration variant you should focus on if you want to bump everything. > in this configuration browser write "Not check certificate chain" Perhaps the browser lacks the SubCA certificate? Does Squid send that intermediate certificate to the browser? You should be able to tell by examining the browser-Squid SSL handshake in wireshark. > ssl_bump bump all > ssl_bump stare all > ssl_bump splice all step3 Please note that the second and third rules will never match [in the latest Squids]. Also, the above config variation is subject to Bug 4327 [in the latest Squids]. It is not yet clear what the correct Squid behaviour should be in this case. Avoid this configuration for now. http://bugs.squid-cache.org/show_bug.cgi?id=4327 > I'm get error "The security certificate presented by this website was > issued for a different website's address", but certificate chain is > trust, i.e I'm view chain CA - SubCA - Proxy - site ipaddr. Possibly because of the problems discussed in comments 0-3 of the Bug 4327 report mentioned above. I do not know whether your Squid version is affected because quite a few things have changed since it was released. > ssl_bump server-first all > All works. But not all sites. I cannot fully explain this observation. In theory, this last config should have similar effects to your first config, but should handle fewer cases because the last config lacks SNI support. I recommend that you try to reproduce the problems [with the first config] using the latest v3.5 daily snapshot (or trunk): ssl_bump stare all ssl_bump bump all Good luck, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
