On 1/13/21 9:47 PM, Greg Hulands wrote: > I have put the ALL,9 log > here https://gist.github.com/ghulands/4a689db93fc87f9e7f69174f292f1914 > I can see it generates the certificate correctly, Agreed. Squid receives (from the helper) a generated certificate with the right wildcard CN, not a CA certificate. > but couldn’t identify why it didn’t return the cert to the client. Yeah... Squid is calling the code that should set the certificate for the client connection. Unfortunately, I cannot easily tell whether that code is using the right certificate -- the existing debugging may not even reveal that detail. If you see a different certificate received by the client -- something I cannot verify from the logs -- then perhaps Squid incorrectly switched the right certificate to a different one or Squid failed to set the right certificate but forgot to report the problem (and the CA certificate from the related context was used?). These are just wild guesses. If you do not get better suggestions for going forward, consider these last-straw ideas: * Testing with a client like openssl, try disabling TLS v1.3. It is being used by the client in your logs. Perhaps there is something in TLS v1.3 that requires special handing when talking to the client. I know that Squid has problems with TLS v1.3 on the Squid-to-server connections... (In your case, the Squid-to-server connection is TLS v1.2 AFAICT). * Upgrade to the latest v5 or even v6. I see no relevant fixes in v5 but I could miss them. * If you are a developer, add more debugging or use gdb to find out what happens with the Squid-to-client certificate. Otherwise, find a developer who can do that for you. Sorry I cannot think of any good options here. Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
