On 29/03/2017 11:07 a.m., senor wrote: > Previous questions on this list referred to using the capath= option > to https_port directive to fill in certificates missing in the chain > to the Root CA trusted by the clients. I can not seem to get that to > work. > > I see no error in parsing even with debug on (debug section 3,9). The > directive is read and no error produced but also no hint that the > file pointed to by capath is used for anything. The SSL negotiation > is not changed. The same 2 certs are passed. Just the signing cert > and the signed cert. > > directive: > https_port 192.168.12.10:8443 intercept ssl-bump \ > cert=/etc/squid/mitm.crt key=/etc/squid/mitm.key \ > cafile=/etc/squid/mitm_chain.crt generate-host-certificates=on \ > dynamic_cert_mem_cache_size=32MB name=mitm > > The RootCA.crt is trusted by clients. > The Root CA signed intermediate1 > Intermediate1 signed intermediate2 > cert=intermediate2 > cafile=intermediate1 > > This command succeeds: > openssl verify -CAfile RootCA.crt -untrusted intermediate1.crt intermediateL2.crt > If the untrusted intermediate1 is added to client the MITM works. > > I realize this wouldn't be used very often and I'd prefer not using it myself but it is necessary in this case. > Any hints? The cert= and key= parameters are used by the cert generator. The cafile= parameter and the generator output are used by the verification and maybe sent to the client. So your PEM file in *both* cert= and cafile= need to contain the whole chain of intermediates. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
