On 10/30/18 10:59 PM, Sid wrote: > Sid: I took wireshark on Squid server (centOS 7); I took 2 wiresharks > between Client & Squid and then between Squid & Server. I can see client > being sent fake cert generated by Squid & client responds with "Client key > Exchange", "Change cipher spec", "Encrypted Handshake Message". Sounds good. Does the generated fake certificate contain the right origin server name? > But I can't see actual client certificate sent to Squid. Why do you expect the client to send a client certificate to Squid? In most deployments, TLS servers do not request client certificates and, hence, TLS clients do not send client certificates. IIRC, you did not configure your Squid to request a client certificate from the client? Or is there a terminology problem where "client certificate sent to Squid" means something other than "an x509 certificate requested by a TLS server and sent to that server by a TLS client during TLS handshake"? Please note that Squid is a TLS server in this context. > Is there a way to decypt in Wireshark. Yes, there are several ways, including giving Wireshark your Squid's private certificate key. Sorry, I do not have detailed instructions. Please note that the encrypted part probably does not matter -- in most cases prior to TLS v1.3, it is the plain text Hellos that are important when it comes to bumping the connection. > In Wireshark between Squid & Server I can see Squid responding > with "61 Alert (Level: Fatal, Description: Internal Error)". > Alex: Is your Squid configured to trust those internal CAs? If not, Squid > would not be able to validate the server certificate. > Sid: I have added those chained certificates as following in squid.conf > tls_outgoing_options cafile=/usr/local/squid/etc/UCAppsCA.pem > sslproxy_foreign_intermediate_certs /usr/local/squid/etc/UCAppsCA.pem Perhaps the alert may not be related to certificate validation. If you want to verify whether UCAppsCA.pem is enough to trust the origin server, you can use "curl" or "openssl s_client" tools for a test. They should fail to validate the server when not configured to use UCAppsCA.pem and they should succeed otherwise. HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
