>> actually doing "openssl s_client -proxy 192.168.1.35:3129 -connect >> <host:port> -showcerts ", >> noticed two of the three certs from that display is from the proxy server >> I >> think. the first one >> is the modified host cert. maybe that's the way to get proxy server's >> certs. >> >You are using SSL-Bump. There is no "proxy cert" in these connections. >There is only client cert (optional) and server cert (possibly modified >by Squid, with CA chain). > >What you see there is what exists in the traffic. Sorry, but when I run the above openssl command, I do get three certs, first one is the modified server cert, the 2nd and third certs are the squid proxy's certs. Yes the proxy is configured to do the SSL-BUMP on port 3129. I would think the proxy needs to send it's certs to the client for that part of the TLS connection. Can this explain I'm receiving the proxy's cert ? thanks. - George -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
