ssl bump intermediate certificate

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

ssl bump intermediate certificate

Marek Greško
Hello,

I am trying to configure ssl bumping on squid 4.8 but my browser is
not able to validate the certificate due to intermediate certificate
missing. How could I convince squid to send it?

Thanks

Marek
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: ssl bump intermediate certificate

Walter H.
On 30.10.2019 05:59, Marek Greško wrote:
> Hello,
>
> I am trying to configure ssl bumping on squid 4.8 but my browser is
> not able to validate the certificate due to intermediate certificate
> missing. How could I convince squid to send it?
>
> Thanks
>
> Marek
the ssl-bum certificate is either a root certificate itself which must
be installed on the clients or an intermediate, where
the root and all intermediates between must be installed on the clients



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: ssl bump intermediate certificate

Matus UHLAR - fantomas
>On 30.10.2019 05:59, Marek Greško wrote:
>>I am trying to configure ssl bumping on squid 4.8 but my browser is
>>not able to validate the certificate due to intermediate certificate
>>missing. How could I convince squid to send it?

On 30.10.19 10:11, Walter H. wrote:
>the ssl-bum certificate is either a root certificate itself which must
>be installed on the clients or an intermediate, where
>the root and all intermediates between must be installed on the clients

do you mean that squid won't send intermediate certificate?

this should be:

https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpWithIntermediateCA

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Honk if you love peace and quiet.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: ssl bump intermediate certificate

Marek Greško
Hello,

Matus, I also found the document. It should be sending the chain, but
is not. When I specify cafile option it responds I shoud use
tls-cafile. But in either case it is not sending.

Walter, if squid has such requirement, then it is unfinished. Every
other proxy is able to run its CA as an intermediate and clients
install only root CA. The proxy should be responsible to hold the
chain. The url Matus sent is the correct way how to do it, but is is
not working. At least not in 4.8 vesion.

Marek


2019-10-30 10:42 GMT+01:00, Matus UHLAR - fantomas <[hidden email]>:

>>On 30.10.2019 05:59, Marek Greško wrote:
>>>I am trying to configure ssl bumping on squid 4.8 but my browser is
>>>not able to validate the certificate due to intermediate certificate
>>>missing. How could I convince squid to send it?
>
> On 30.10.19 10:11, Walter H. wrote:
>>the ssl-bum certificate is either a root certificate itself which must
>>be installed on the clients or an intermediate, where
>>the root and all intermediates between must be installed on the clients
>
> do you mean that squid won't send intermediate certificate?
>
> this should be:
>
> https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpWithIntermediateCA
>
> --
> Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Honk if you love peace and quiet.
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: ssl bump intermediate certificate

Amos Jeffries
Administrator
On 31/10/19 9:49 am, Marek Greško wrote:

> Hello,
>
> Matus, I also found the document. It should be sending the chain, but
> is not. When I specify cafile option it responds I shoud use
> tls-cafile. But in either case it is not sending.
>
> Walter, if squid has such requirement, then it is unfinished. Every
> other proxy is able to run its CA as an intermediate and clients
> install only root CA. The proxy should be responsible to hold the
> chain. The url Matus sent is the correct way how to do it, but is is
> not working. At least not in 4.8 vesion.
>

"
cafile=
  File containing additional CA certificates to use
  when verifying client certificates.
"

Note that last line. Squid-4 is more strict about its configured inputs
being used for what they are documented as.

The best place to put the chain is actually in the PEM file used in the
cert= parameter. It should contain as much of the chain as you want
Squid to send, starting with the proxies signing CA cert and going up
the chained intermediate CA certs towards the root CA.


Squid-4 will validate all certificates actually are a chain with correct
sequence, ignoring any which are incorrect or out of sequence. Running
"squid -k parse" will reports any errors loading the chain.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: ssl bump intermediate certificate

Marek Greško
Hello,

I already tried adding root ca to the pem file int the cert= option.
But it had no effect.

the squid -k parse seems good point.

I got: Ignoring non-issuer CA from /etc/squid/bump-CA/bump-ca.crt

If I add the root ca, that one is reported to be added, but still
ignoring the bump ca. Why is it ignoring my CA?

The reported purposeof the certificate is:
Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : Yes
S/MIME signing CA : No
S/MIME encryption : Yes
S/MIME encryption CA : No
CRL signing : Yes
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No

What am I doing wrong?

Thanks

Marek

2019-10-31 8:38 GMT+01:00, Amos Jeffries <[hidden email]>:

> On 31/10/19 9:49 am, Marek Greško wrote:
>> Hello,
>>
>> Matus, I also found the document. It should be sending the chain, but
>> is not. When I specify cafile option it responds I shoud use
>> tls-cafile. But in either case it is not sending.
>>
>> Walter, if squid has such requirement, then it is unfinished. Every
>> other proxy is able to run its CA as an intermediate and clients
>> install only root CA. The proxy should be responsible to hold the
>> chain. The url Matus sent is the correct way how to do it, but is is
>> not working. At least not in 4.8 vesion.
>>
>
> "
> cafile=
>   File containing additional CA certificates to use
>   when verifying client certificates.
> "
>
> Note that last line. Squid-4 is more strict about its configured inputs
> being used for what they are documented as.
>
> The best place to put the chain is actually in the PEM file used in the
> cert= parameter. It should contain as much of the chain as you want
> Squid to send, starting with the proxies signing CA cert and going up
> the chained intermediate CA certs towards the root CA.
>
>
> Squid-4 will validate all certificates actually are a chain with correct
> sequence, ignoring any which are incorrect or out of sequence. Running
> "squid -k parse" will reports any errors loading the chain.
>
> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: ssl bump intermediate certificate

Amos Jeffries
Administrator
In reply to this post by Marek Greško
All of the "CA" entries in that purposes list say "No". So this is not a CA certificate, it is an origin server certificate.

It can only be used to receive explicit TLS proxy or HTTPS origin server traffic.

Amos

Sent from my alcatel U5
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users