Hey Alex, Can you point me to the rough location in code where the certs are sent to the client. I tried with TLS 1.2 with openssl s_client and it returned the certs the same. Thanks, Greg > On Jan 13, 2021, at 8:44 PM, Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > > On 1/13/21 9:47 PM, Greg Hulands wrote: >> I have put the ALL,9 log >> here https://gist.github.com/ghulands/4a689db93fc87f9e7f69174f292f1914 > >> I can see it generates the certificate correctly, > > Agreed. Squid receives (from the helper) a generated certificate with > the right wildcard CN, not a CA certificate. > > >> but couldn’t identify why it didn’t return the cert to the client. > > Yeah... Squid is calling the code that should set the certificate for > the client connection. Unfortunately, I cannot easily tell whether that > code is using the right certificate -- the existing debugging may not > even reveal that detail. > > If you see a different certificate received by the client -- something I > cannot verify from the logs -- then perhaps Squid incorrectly switched > the right certificate to a different one or Squid failed to set the > right certificate but forgot to report the problem (and the CA > certificate from the related context was used?). These are just wild > guesses. > > If you do not get better suggestions for going forward, consider these > last-straw ideas: > > * Testing with a client like openssl, try disabling TLS v1.3. It is > being used by the client in your logs. Perhaps there is something in TLS > v1.3 that requires special handing when talking to the client. I know > that Squid has problems with TLS v1.3 on the Squid-to-server > connections... (In your case, the Squid-to-server connection is TLS v1.2 > AFAICT). > > * Upgrade to the latest v5 or even v6. I see no relevant fixes in v5 but > I could miss them. > > * If you are a developer, add more debugging or use gdb to find out what > happens with the Squid-to-client certificate. Otherwise, find a > developer who can do that for you. > > Sorry I cannot think of any good options here. > > Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
