[squid-users] Squid/DebianSqueeze/ https_port / Attempting to have CAs recognised

From: J4K <junk4_at_klunky.co.uk>
Date: Thu, 04 Aug 2011 14:46:58 +0200

Hi there,

        I am attempting to configure Squid (proxy) with a Free Startcom SSL certificate. My goal is to have client requests (http and https) to be proxied between squid and client over SSL. I know it'll break server certs from the legit servers :(
Squid recognises part of the SSL key chain, but not all of it. Finally it claims a level of the CA is self-signed.

The Apache host I have uses this, so I have used it as a source of inspiration.
   SSLCertificateFile /etc/ssl/private/example.co.uk.ssl.crt
   SSLCertificateKeyFile /etc/ssl/private/example.co.uk.nopassphase_ssl.key
   SSLCertificateChainFile /etc/ssl/certs/startcomIntermediateCA.pem
   SSLCACertificateFile /etc/ssl/certs/startcomCA.pem

The config has this:
https_port 62.123.123.123:8055 key=/etc/ssl/private/example.co.uk.nopassphase_ssl.key cert=/etc/ssl/private/example.co.uk.ssl.crt cafile=/etc/ssl/certs/startcom_combinedCA_and_Intermediate.pem defaultsite=webtest.example.co.uk options=NO_SSLv2 sslflags=NO_SESSION_REUSE

The cafile is actually the combined SSLCertificateChainFile and SSLCACertificateFile file from the Apache vhost. I have tried changing the order of the contained keys in vain hope it would make a difference, which it didn't.
I have tried the https_port with sslflags=NO_DEFAULT_CA,NO_SESSION_REUSE with no noticeable effect.

Here is what I get:
# openssl s_client -connect 62.123.123.123:8055
CONNECTED(00000003)
depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0

---
Certificate chain
 0 s:/description=328815-ueN64BIOcLRJ4ldH/C=AU/O=Persona Not Validated/OU=StartCom Free Certificate Member/CN=webtest.example.co.uk/emailAddress=webmaster_at_example.co.uk
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
 2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHzD  [SNIP]
y3UmvlByGsMzrhmhIQqk52J9Hu5HXb5hiEGM1aOi8QM=
-----END CERTIFICATE-----
subject=/description=328815-ueN64BIOcLRJ4ldH/C=AU/O=Persona Not Validated/OU=StartCom Free Certificate Member/CN=webtest.example.co.uk/emailAddress=webmaster_at_example.co.uk
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
---
No client certificate CA names sent
---
SSL handshake has read 5732 bytes and written 703 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: A02CBA24C40B65FEB3C3A0CFC45C834E11FAF4F6AC7905A452FAA3C400DFE5DFC1783218180ECDA3CE2A083281D8909D
    Key-Arg   : None
    Start Time: 1312457813
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
Obfuscation of IP and FQDNs in above examples.
Any ideas how I can get the CAs to be valid?
Best wishes,
S
Received on Thu Aug 04 2011 - 12:46:45 MDT

This archive was generated by hypermail 2.2.0 : Thu Aug 04 2011 - 12:00:01 MDT