Dear All!
I've also a problem running ssl-bump with an intermediate CA using a signed
certificate from a CA.
My setup is as follows:
squid-3.3.3-20130418-r12525 with
- https_port 3130 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid33/ssl_cert/server.pem
key=/etc/squid33/ssl_cert/key.pem
- ssl_bump server-first all
- sslproxy_cert_error allow all
- sslproxy_cert_adapt setCommonName ssl::certDomainMismatch
following the rules http://wiki.squid-cache.org/Features/MimicSslServerCert
This is working fine when using my self generated CA for signing the requests,
however I want to get rid of the browser warning so I try to use a CA already
recognized in the browser, what should be possible following this ticket:
http://bugs.squid-cache.org/show_bug.cgi?id=3426 (already mentioned)
But no matter what I do I can't get rid of the browser warning. If I use a self
signed root CA or certificate squid detects it is self signed and does not
append any intermediate CA or other chain.
If I generate an csr and send it to a CA I get back an .crt and an
intermediate-bundle, pack them up with the key in a single .pem file and restart
squid - then a chain is displayed in the browser but now with one 'cert' to much
(imho) and marked as invalid. Firefox reports sec_error_unknown_issuer, safari
says invalid chain length
For example in the browser details it looks like this:
RootCA (which is marked fine by the browser) -> Intermediate CA (marked invalid)
-> Certificate signed and created by the csr (marked invalid) -> fake
certificate created by squid for the requested site (marked invalid)
If anyone has a running setup without importing the self-signed CA to all
browsers please let me know.
Thanks for any feedback,
Alex
Received on Mon Apr 22 2013 - 16:36:17 MDT
This archive was generated by hypermail 2.2.0 : Mon Apr 22 2013 - 12:00:06 MDT