Search squid archive

https_port and capath

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Previous questions on this list referred to using the capath= option to https_port directive to fill in certificates missing in the chain to the Root CA trusted by the clients. I can not seem to get that to work.

I see no error in parsing even with debug on (debug section 3,9). The directive is read and no error produced but also no hint that the file pointed to by capath is used for anything. The SSL negotiation is not changed. The same 2 certs are passed. Just the signing cert and the signed cert.

directive:
 https_port 192.168.12.10:8443 intercept ssl-bump cert=/etc/squid/mitm.crt key=/etc/squid/mitm.key cafile=/etc/squid/mitm_chain.crt generate-host-certificates=on dynamic_cert_mem_cache_size=32MB name=mitm

The RootCA.crt is trusted by clients.
The Root CA signed intermediate1
Intermediate1 signed intermediate2
cert=intermediate2
cafile=intermediate1

This command succeeds:
openssl verify -CAfile RootCA.crt -untrusted intermediate1.crt intermediateL2.crt
If the untrusted intermediate1 is added to client the MITM works.

I realize this wouldn't be used very often and I'd prefer not using it myself but it is necessary in this case. 
Any hints?
Thanks in advance,
Senor
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux