The cafile option specifies the "chain" file squid should send back to the client along with the cert, exactly as you would normally do with Apache httpd or Nginx.
In the example the generated server cert is depth 0, CA2 is depth 1 and CA1 is depth 2.
If the client has CA1 installed as a trust anchor then technically you don't need to send CA1 as it is discarded by the client once the trust relationship for CA2 is established.
It's good practice to send the full chain though as it makes troubleshooting easier.
From a client perspective you can quickly grab the whole chain with openssl s_client and check if CA1 is in the trust store.
On Fri, Jan 6, 2017 at 10:40 AM, senor <frio_cervesa@xxxxxxxxxxx> wrote:
Hello All.
I'd like clarification of the documentation at
http://wiki.squid-cache.org/ConfigExamples/Intercept/ SslBumpWithIntermediateCA
In section "CA certificate preparation" it is stated that a file should
be created with "intermediate CA2 followed by root CA1 in PEM format".
CA1 is the cert trusted by the clients. CA2 is used to sign the mimicked
certs. And finally the statement "Now Squid can send the intermediate
CA2 public key with root CA1 to client and does not need to install
intermediate CA2 to clients."
The specification states that the clients MUST NOT use CA1 provided in
the TLS exchange. CA1 must be (and in this scenario is) already included
in its trusted store of CAs.
As I understand it, the TLS exchange with the client for a bumped
connection should have the mimicked server cert followed by the
intermediate cert (CA2) and that's all. The client completes the chain
with the already trusted CA1.
The example file created is used for cafile= option to http_port which
is supposed to be for verifying client certs which is not part of this
scenario.
This is getting a little long-winded so I'll wait to see what anyone has
to say about my assumptions or understanding.
Thanks,
Senor
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users