|
Hi, I have setup Squid as a SSL MITM proxy. I am also using the cert download feature with these configurations in my squid.conf acl cert_fetch transaction_initiator certificate-fetching http_access allow cert_fetch Websites where certificates just share AIA information using CA-issuer method, those work just fine. But try this one,
https://community.verizonwireless.com/welcome (this gets bumped in my setup) Here the AIA information Is provided using both OCSP/CAissuer methods. From Squid’s access logs, I can tell that the certificate gets downloaded.
1526964147.929 160 - TCP_MISS/200 1868 GET http://cacert.omniroot.com/vpssg142.crt - HIER_DIRECT/64.18.25.46 application/x-x509-ca-cert But squid still reports: (71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) That is the only intermediate certificate needed in the chain. Here:
https://www.ssllabs.com/ssltest/analyze.html?d=community.verizonwireless.com&latest When I download the intermediate certificate locally and try connecting to the remote server using openssl –Cafile option, Openssl reports OK (0). openssl s_client -connect 204.93.84.201:443 -showcerts -CAfile vpssg142.crt –servername community.verizon.com >> Verify return code: 0 (ok) Regards, Sarfaraz |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
