Thank you Alex for the reply. Alex: 1. Servers never send SNI. Clients usually send SNI. Squid should forward SNI it received from the client to the server, provided the client actually sent SNI. Did your client send SNI? Sid: I can see in Client Hello IP Address being sent by Client; so there is no SNI from client itself. Alex: 2. Bugs notwithstanding, the implied order of events is not what actually happens: Squid, as configured, does _not_ forward anything from the server certificate to the client. Squid, as configured, generates a certificate based on client-supplied information (not server-supplied information). After sending that generated certificate to the client, Squid establishes a TLS connection with the server. Sid: Thank you for explanation. Alex: For an accurate picture, in addition to Squid-server and server-Squid traffic, look at what Squid has received from the client and what Squid sent to the client, all in actual order. Sid: I took wireshark on Squid server (centOS 7); I took 2 wiresharks between Client & Squid and then between Squid & Server. I can see client being sent fake cert generated by Squid & client responds with "Client key Exchange", "Change cipher spec", "Encrypted Handshake Message". But I can't see actual client certificate sent to Squid. Is there a way to decypt in Wireshark. In Wireshark between Squid & Server I can see Squid responding with "61 Alert (Level: Fatal, Description: Internal Error)". Alex: Is your Squid configured to trust those internal CAs? If not, Squid would not be able to validate the server certificate. Sid: I have added those chained certificates as following in squid.conf tls_outgoing_options cafile=/usr/local/squid/etc/UCAppsCA.pem sslproxy_foreign_intermediate_certs /usr/local/squid/etc/UCAppsCA.pem -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
