On 09/28/2015 12:57 AM, Степаненко Сергей wrote: > I'm use config with > ssl_bump stare all > ssl_bump bump all > When I'm use ssl bump, squid not send certificate chain. > Info from s_client > > with ssl_bump > Certificate chain > 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=google.com > i:/C=RU/ST=VLG/O=HOME Ltd/OU=IT/CN=proxy02.home.lan > With server-first > Certificate chain > 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=google.com > i:/C=RU/ST=VLG/O=HOME Ltd/OU=IT/CN=proxy02.home.lan > 1 s:/C=RU/ST=VLG/O=HOME Ltd/OU=IT/CN=proxy02.home.lan > i:/C=RU/ST=VLG/O=HOME Ltd/OU=IT/CN=SIGN-CA1 > 2 s:/C=RU/ST=VLG/O=HOME Ltd/OU=IT/CN=SIGN-CA1 > i:/C=RU/ST=VLG/L=VOLGOGRAD/O=HOME Ltd/OU=IT/CN=MAIN_CA > 3 s:/C=RU/ST=VLG/L=VOLGOGRAD/O=HOME Ltd/OU=IT/CN=MAIN_CA > i:/C=RU/ST=VLG/L=VOLGOGRAD/O=HOME Ltd/OU=IT/CN=MAIN_CA Thank you for sending relevant details! This sounds like a Squid bug to me, although I am surprised you are the only one seeing it (perhaps I just do not recall relevant bug reports). I recommend filing a bug report with the similar information you have posted here. If you can, also post (to the bug report) cache.log with debug_options set to ALL,9 and reproducing the problem with a single s_client transaction. > In man ssl_crtd > The version 1.0 of this helper will not add chained intermediate CA certificates. > But I'm have question, how this do with server-first? Good question. I suspect the manual page is outdated, but I am not 100% sure. We can come back to this once the bug is resolved. Thank you, Alex. > -----Original Message----- > From: Alex Rousskov [mailto:rousskov@xxxxxxxxxxxxxxxxxxxxxxx] > Sent: Wednesday, September 23, 2015 6:05 PM > To: squid-users@xxxxxxxxxxxxxxxxxxxxx > Cc: Степаненко Сергей > Subject: Re: SSL Bump in intercept mode > > On 09/23/2015 12:16 AM, Степаненко Сергей wrote: > >> My proxy certificate released by subca, i.e CA - SubCA - Proxy. > >> OS - Centos6.7, squid - 3.5.7 from www1.ngtech.co.il repo > > >> ssl_bump stare all >> ssl_bump bump all >> ssl_bump splice all step3 > > Please note that the last "splice" rule will never match [in the latest Squids]. Other than being misleading about your true intent, this should not cause problems. > > Apart from the pointless splice rule, this is the configuration variant you should focus on if you want to bump everything. > > >> in this configuration browser write "Not check certificate chain" > > Perhaps the browser lacks the SubCA certificate? Does Squid send that intermediate certificate to the browser? You should be able to tell by examining the browser-Squid SSL handshake in wireshark. > > >> ssl_bump bump all >> ssl_bump stare all >> ssl_bump splice all step3 > > Please note that the second and third rules will never match [in the latest Squids]. > > Also, the above config variation is subject to Bug 4327 [in the latest Squids]. It is not yet clear what the correct Squid behaviour should be in this case. Avoid this configuration for now. > > http://bugs.squid-cache.org/show_bug.cgi?id=4327 > > >> I'm get error "The security certificate presented by this website was >> issued for a different website's address", but certificate chain is >> trust, i.e I'm view chain CA - SubCA - Proxy - site ipaddr. > > Possibly because of the problems discussed in comments 0-3 of the Bug > 4327 report mentioned above. I do not know whether your Squid version is affected because quite a few things have changed since it was released. > > >> ssl_bump server-first all > >> All works. But not all sites. > > I cannot fully explain this observation. In theory, this last config should have similar effects to your first config, but should handle fewer cases because the last config lacks SNI support. > > I recommend that you try to reproduce the problems [with the first config] using the latest v3.5 daily snapshot (or trunk): > > ssl_bump stare all > ssl_bump bump all > > > Good luck, > > Alex. > > > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users > _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
