On Thu, 2017-01-05 at 23:40 +0000, senor wrote: > Hello All. > I'd like clarification of the documentation at > http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpWithInter > mediateCA > > In section "CA certificate preparation" it is stated that a file > should > be created with "intermediate CA2 followed by root CA1 in PEM > format". > CA1 is the cert trusted by the clients. CA2 is used to sign the > mimicked > certs. And finally the statement "Now Squid can send the intermediate > CA2 public key with root CA1 to client and does not need to install > intermediate CA2 to clients." > > The specification states that the clients MUST NOT use CA1 provided > in > the TLS exchange. CA1 must be (and in this scenario is) already > included > in its trusted store of CAs. > > As I understand it, the TLS exchange with the client for a bumped > connection should have the mimicked server cert followed by the > intermediate cert (CA2) and that's all. The client completes the > chain > with the already trusted CA1. > > The example file created is used for cafile= option to http_port > which > is supposed to be for verifying client certs which is not part of > this > scenario. > > This is getting a little long-winded so I'll wait to see what anyone > has > to say about my assumptions or understanding. > > Thanks, > Senor Hi Senor, You are right, it is not required to send root CA cert to a client. It is already installed in client's cert store. You can find more details in bug report 3426 [1] (comments 11 and 13). [1] http://bugs.squid-cache.org/show_bug.cgi?id=3426 Garri _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
