Hi,
I'm using squid 3.5.19 on RHEL6 and have configured SSL bump, which for the most part is working great.
The issue I have is I need to install some additional CA certs that are not provided by the ca-certificates-2015 RPM in the /etc/pki/tls/cert.pem file (symlinked to /etc/pki/tls/certs/ca-bundle.crt).
I've tried adding both the cafile and capath options to the http_port entry but neither seems to have any affect.
With the cafile option I can see squid open the file via an strace but when I connect to the server it fails with a 503 as the SSL session to the remote side is failing to verify.
With the capath option, strace shows that squid never attempts to open any files in that directory.
Dynamic certificate generation between squid and the client is working fine however.
cafile strace (strace -fp <squid_pid> -e trace=open):
[pid 27532] open("/var/lib/ssl_db/index.txt", O_RDWR) = 3
[pid 27532] open("/var/lib/ssl_db/index.txt", O_RDONLY) = 4
[pid 27532] open("/etc/localtime", O_RDONLY) = 4
[pid 27532] open("/var/lib/ssl_db/certs/3EA5A8686DE52F6FBED1CD16F119603FF223563F.pem", O_RDONLY) = 4
[pid 27532] open("/var/lib/ssl_db/certs/3EA5A8686DE52F6FBED1CD16F119603FF223563F.pem", O_RDONLY) = 4
[pid 27528] open("/etc/squid/ssl/cafile.pem", O_RDONLY) = 13
[pid 27528] open("/etc/pki/tls/cert.pem", O_RDONLY) = 13
[pid 27532] open("/var/lib/ssl_db/index.txt", O_RDWR) = 3
[pid 27532] open("/var/lib/ssl_db/index.txt", O_RDONLY) = 4
[pid 27532] open("/var/lib/ssl_db/certs/666F7FE36508EC9B6E154D4FA0AE36DAFE9AC520.pem", O_RDONLY) = 4
[pid 27532] open("/var/lib/ssl_db/certs/666F7FE36508EC9B6E154D4FA0AE36DAFE9AC520.pem", O_RDONLY) = 4
[pid 27528] open("/etc/squid/ssl/cafile.pem", O_RDONLY) = 13
[pid 27528] open("/etc/pki/tls/cert.pem", O_RDONLY) = 13
[pid 27528] open("/etc/squid/ssl/cafile.pem", O_RDONLY) = 13
[pid 27528] open("/etc/pki/tls/cert.pem", O_RDONLY) = 13
Subsequent error in the access log:
[29/Jun/2016:18:46:30 +1000] 198.142.126.173 TAG_NONE:HIER_DIRECT/200 "CONNECT www.example.com:443 HTTP/1.1" - www.example.com 130 0 - 14
[29/Jun/2016:18:46:30 +1000] 198.142.126.173 TAG_NONE:HIER_NONE/503 "GET https://www.example.com/postorders/postorders.php HTTP/1.1" - - 249 4699 - -
Relevant config:
sslproxy_options NO_SSLv2
sslproxy_cert_sign signTrusted
sslproxy_cert_sign_hash sha1
sslcrtd_children 8 startup=1 idle=1
acl step1 at_step SslBump1
ssl_bump peek step1 sslbump_src
ssl_bump bump sslbump_dst sslbump_src
ssl_bump none all
#http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=8MB capath=/etc/squid/ssl/cacerts/ key=/etc/squid/ssl_cert/mitm_root_ca.key cert=/etc/squid/ssl_cert/mitm_root_ca.crt
http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=8MB cafile=/etc/squid/ssl/cafile.pem key=/etc/squid/ssl_cert/mitm_root_ca.key cert=/etc/squid/ssl_cert/mitm_root_ca.crt
I can work around the issue by appending the additional CA certs to the Redhat managed /etc/pki/tls/certs/ca-bundle.crt file but this is not ideal.
Are the cafile and capath options supposed to work like this i.e. do they allow you to complement the OS supplied CA certs for remote site verification or have I completely misread the documentation?
cafile= File containing additional CA certificates to
use when verifying client certificates. If unset
clientca will be used.
capath= Directory containing additional CA certificates
and CRL lists to use when verifying client certificates.
Many thanks and any help greatly appreciated,
Bruce
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
