Trying to set up a non-transparent forward proxy with TLS,
using squid 4.10-1ubuntu1.5 (ubuntu 20.04)
config line
`https_port 12345 tls-cert=/etc/letsencrypt/.../fullchain.pem tls-key=/etc/letsencrypt/.../privkey.pem`
When establishing a TLS connection to that port, squid seems to return only the domain certificate from the certificate chain:
$ openssl s_client -showcerts -connect hostname:12345 | grep -v '^[A-Za-z0-9]'
depth=0 CN = ...
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = ...
verify error:num=21:unable to verify the first certificate
verify return:1
---
0 s:CN = ...
i:C = US, O = Let's Encrypt, CN = R3
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
While nginx, using the same pair of files, works correctly:
$ openssl s_client -showcerts -connect hostname:443 | grep -v '^[A-Za-z0-9]'
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = ...
verify return:1
---
0 s:CN = ...
i:C = US, O = Let's Encrypt, CN = R3
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Am I missing some configuration option, or is this a squid4 bug?
using squid 4.10-1ubuntu1.5 (ubuntu 20.04)
config line
`https_port 12345 tls-cert=/etc/letsencrypt/.../fullchain.pem tls-key=/etc/letsencrypt/.../privkey.pem`
When establishing a TLS connection to that port, squid seems to return only the domain certificate from the certificate chain:
$ openssl s_client -showcerts -connect hostname:12345 | grep -v '^[A-Za-z0-9]'
depth=0 CN = ...
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = ...
verify error:num=21:unable to verify the first certificate
verify return:1
---
0 s:CN = ...
i:C = US, O = Let's Encrypt, CN = R3
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
While nginx, using the same pair of files, works correctly:
$ openssl s_client -showcerts -connect hostname:443 | grep -v '^[A-Za-z0-9]'
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = ...
verify return:1
---
0 s:CN = ...
i:C = US, O = Let's Encrypt, CN = R3
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Am I missing some configuration option, or is this a squid4 bug?
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
