https_port and capath

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

https_port and capath

senor
Previous questions on this list referred to using the capath= option to https_port directive to fill in certificates missing in the chain to the Root CA trusted by the clients. I can not seem to get that to work.

I see no error in parsing even with debug on (debug section 3,9). The directive is read and no error produced but also no hint that the file pointed to by capath is used for anything. The SSL negotiation is not changed. The same 2 certs are passed. Just the signing cert and the signed cert.

directive:
 https_port 192.168.12.10:8443 intercept ssl-bump cert=/etc/squid/mitm.crt key=/etc/squid/mitm.key cafile=/etc/squid/mitm_chain.crt generate-host-certificates=on dynamic_cert_mem_cache_size=32MB name=mitm

The RootCA.crt is trusted by clients.
The Root CA signed intermediate1
Intermediate1 signed intermediate2
cert=intermediate2
cafile=intermediate1

This command succeeds:
openssl verify -CAfile RootCA.crt -untrusted intermediate1.crt intermediateL2.crt
If the untrusted intermediate1 is added to client the MITM works.

I realize this wouldn't be used very often and I'd prefer not using it myself but it is necessary in this case.
Any hints?
Thanks in advance,
Senor
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: https_port and capath

Amos Jeffries
Administrator
On 29/03/2017 11:07 a.m., senor wrote:

> Previous questions on this list referred to using the capath= option
> to https_port directive to fill in certificates missing in the chain
> to the Root CA trusted by the clients. I can not seem to get that to
> work.
>
> I see no error in parsing even with debug on (debug section 3,9). The
> directive is read and no error produced but also no hint that the
> file pointed to by capath is used for anything. The SSL negotiation
> is not changed. The same 2 certs are passed. Just the signing cert
> and the signed cert.
>
> directive:
> https_port 192.168.12.10:8443 intercept ssl-bump \
>  cert=/etc/squid/mitm.crt key=/etc/squid/mitm.key \
>  cafile=/etc/squid/mitm_chain.crt generate-host-certificates=on \
>  dynamic_cert_mem_cache_size=32MB name=mitm
>
> The RootCA.crt is trusted by clients.
> The Root CA signed intermediate1
> Intermediate1 signed intermediate2
> cert=intermediate2
> cafile=intermediate1
>
> This command succeeds:
> openssl verify -CAfile RootCA.crt -untrusted intermediate1.crt intermediateL2.crt
> If the untrusted intermediate1 is added to client the MITM works.
>
> I realize this wouldn't be used very often and I'd prefer not using it myself but it is necessary in this case.
> Any hints?

The cert= and key= parameters are used by the cert generator.

The cafile= parameter and the generator output are used by the
verification and maybe sent to the client.

So your PEM file in *both* cert= and cafile= need to contain the whole
chain of intermediates.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Loading...