Hello All. I'd like clarification of the documentation at http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpWithIntermediateCA In section "CA certificate preparation" it is stated that a file should be created with "intermediate CA2 followed by root CA1 in PEM format". CA1 is the cert trusted by the clients. CA2 is used to sign the mimicked certs. And finally the statement "Now Squid can send the intermediate CA2 public key with root CA1 to client and does not need to install intermediate CA2 to clients." The specification states that the clients MUST NOT use CA1 provided in the TLS exchange. CA1 must be (and in this scenario is) already included in its trusted store of CAs. As I understand it, the TLS exchange with the client for a bumped connection should have the mimicked server cert followed by the intermediate cert (CA2) and that's all. The client completes the chain with the already trusted CA1. The example file created is used for cafile= option to http_port which is supposed to be for verifying client certs which is not part of this scenario. This is getting a little long-winded so I'll wait to see what anyone has to say about my assumptions or understanding. Thanks, Senor _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
