Re: [squid-users] Squid/DebianSqueeze/ https_port / Attempting to have CAs recognised

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 05 Aug 2011 01:27:26 +1200

On 05/08/11 00:46, J4K wrote:
> Hi there,
>
> I am attempting to configure Squid (proxy) with a Free Startcom SSL certificate. My goal is to have client requests (http and https) to be proxied between squid and client over SSL. I know it'll break server certs from the legit servers :(

What makes you think that?

forward-proxy:
   double-encrypting is possible and likely the best way to go about
this. Most browsers today simply wont talk SSL when contacting a proxy.
But will happily talk over an SSL tunnel to a proxy, similar to a proxy
over a VPN link.

reverse-proxy:
  the squid gateway _is_ the origin server from the browsers viewpoint.
Using a certificate is right there and will not cause problems.

> Squid recognises part of the SSL key chain, but not all of it. Finally it claims a level of the CA is self-signed.
>
> The Apache host I have uses this, so I have used it as a source of inspiration.
> SSLCertificateFile /etc/ssl/private/example.co.uk.ssl.crt
> SSLCertificateKeyFile /etc/ssl/private/example.co.uk.nopassphase_ssl.key
> SSLCertificateChainFile /etc/ssl/certs/startcomIntermediateCA.pem
> SSLCACertificateFile /etc/ssl/certs/startcomCA.pem
>
>
> The config has this:
> https_port 62.123.123.123:8055 key=/etc/ssl/private/example.co.uk.nopassphase_ssl.key cert=/etc/ssl/private/example.co.uk.ssl.crt cafile=/etc/ssl/certs/startcom_combinedCA_and_Intermediate.pem defaultsite=webtest.example.co.uk options=NO_SSLv2 sslflags=NO_SESSION_REUSE
>
> The cafile is actually the combined SSLCertificateChainFile and SSLCACertificateFile file from the Apache vhost. I have tried changing the order of the contained keys in vain hope it would make a difference, which it didn't.
> I have tried the https_port with sslflags=NO_DEFAULT_CA,NO_SESSION_REUSE with no noticeable effect.
>
>
> Here is what I get:
> # openssl s_client -connect 62.123.123.123:8055
> CONNECTED(00000003)
> depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
> ---
> Certificate chain
> 0 s:/description=328815-ueN64BIOcLRJ4ldH/C=AU/O=Persona Not Validated/OU=StartCom Free Certificate Member/CN=webtest.example.co.uk/emailAddress=webmaster_at_example.co.uk
> i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
> 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
> i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
> 2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
> i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIHzD [SNIP]
> y3UmvlByGsMzrhmhIQqk52J9Hu5HXb5hiEGM1aOi8QM=
> -----END CERTIFICATE-----
> subject=/description=328815-ueN64BIOcLRJ4ldH/C=AU/O=Persona Not Validated/OU=StartCom Free Certificate Member/CN=webtest.example.co.uk/emailAddress=webmaster_at_example.co.uk
> issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 5732 bytes and written 703 bytes
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Server public key is 4096 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1
> Cipher : AES256-SHA
> Session-ID:
> Session-ID-ctx:
> Master-Key: A02CBA24C40B65FEB3C3A0CFC45C834E11FAF4F6AC7905A452FAA3C400DFE5DFC1783218180ECDA3CE2A083281D8909D
> Key-Arg : None
> Start Time: 1312457813
> Timeout : 300 (sec)
> Verify return code: 19 (self signed certificate in certificate chain)
> ---
>
>
> Obfuscation of IP and FQDNs in above examples.
>
> Any ideas how I can get the CAs to be valid?

That config should work, and the details do appear to all arrive in the
openssl tool for use. So that part seems right.

The only cert in that chain which is self-signed is the main "StartCom
Certification Authority" certificate.

Is your CA certs base information up to date?

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.14
   Beta testers wanted for 3.2.0.10
Received on Thu Aug 04 2011 - 13:27:34 MDT

This archive was generated by hypermail 2.2.0 : Thu Aug 04 2011 - 12:00:01 MDT