On 24/12/19 7:55 am, GeorgeShen wrote: > >>> actually doing "openssl s_client -proxy 192.168.1.35:3129 -connect >>> <host:port> -showcerts ", >>> noticed two of the three certs from that display is from the proxy server >>> I >>> think. the first one >>> is the modified host cert. maybe that's the way to get proxy server's >>> certs. >>> > >> You are using SSL-Bump. There is no "proxy cert" in these connections. >> There is only client cert (optional) and server cert (possibly modified >> by Squid, with CA chain). >> >> What you see there is what exists in the traffic. > > Sorry, but when I run the above openssl command, I do get three certs, first > one is > the modified server cert, the 2nd and third certs are the squid proxy's > certs. No. You receive a server cert and the CA chain required to validate that server cert. Stop thinking of certs as belonging to the proxy. It seems to be confusing you. All 3 certs can be called "the proxy's certs" and yet none of them is a "proxy cert" in TLS definitions. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
