Previous questions on this list referred to using the capath= option to https_port directive to fill in certificates missing in the chain to the Root CA trusted by the clients. I can not seem to get that to work. I see no error in parsing even with debug on (debug section 3,9). The directive is read and no error produced but also no hint that the file pointed to by capath is used for anything. The SSL negotiation is not changed. The same 2 certs are passed. Just the signing cert and the signed cert. directive: https_port 192.168.12.10:8443 intercept ssl-bump cert=/etc/squid/mitm.crt key=/etc/squid/mitm.key cafile=/etc/squid/mitm_chain.crt generate-host-certificates=on dynamic_cert_mem_cache_size=32MB name=mitm The RootCA.crt is trusted by clients. The Root CA signed intermediate1 Intermediate1 signed intermediate2 cert=intermediate2 cafile=intermediate1 This command succeeds: openssl verify -CAfile RootCA.crt -untrusted intermediate1.crt intermediateL2.crt If the untrusted intermediate1 is added to client the MITM works. I realize this wouldn't be used very often and I'd prefer not using it myself but it is necessary in this case. Any hints? Thanks in advance, Senor _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
