Hi there,
I am attempting to configure Squid (proxy) with a Free Startcom SSL certificate. My goal is to have client requests (http and https) to be proxied between squid and client over SSL. I know it'll break server certs from the legit servers :(
Squid recognises part of the SSL key chain, but not all of it. Finally it claims a level of the CA is self-signed.
The Apache host I have uses this, so I have used it as a source of inspiration.
SSLCertificateFile /etc/ssl/private/example.co.uk.ssl.crt
SSLCertificateKeyFile /etc/ssl/private/example.co.uk.nopassphase_ssl.key
SSLCertificateChainFile /etc/ssl/certs/startcomIntermediateCA.pem
SSLCACertificateFile /etc/ssl/certs/startcomCA.pem
The config has this:
https_port 62.123.123.123:8055 key=/etc/ssl/private/example.co.uk.nopassphase_ssl.key cert=/etc/ssl/private/example.co.uk.ssl.crt cafile=/etc/ssl/certs/startcom_combinedCA_and_Intermediate.pem defaultsite=webtest.example.co.uk options=NO_SSLv2 sslflags=NO_SESSION_REUSE
The cafile is actually the combined SSLCertificateChainFile and SSLCACertificateFile file from the Apache vhost. I have tried changing the order of the contained keys in vain hope it would make a difference, which it didn't.
I have tried the https_port with sslflags=NO_DEFAULT_CA,NO_SESSION_REUSE with no noticeable effect.
Here is what I get:
# openssl s_client -connect 62.123.123.123:8055
CONNECTED(00000003)
depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
--- Certificate chain 0 s:/description=328815-ueN64BIOcLRJ4ldH/C=AU/O=Persona Not Validated/OU=StartCom Free Certificate Member/CN=webtest.example.co.uk/emailAddress=webmaster_at_example.co.uk i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority 2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIHzD [SNIP] y3UmvlByGsMzrhmhIQqk52J9Hu5HXb5hiEGM1aOi8QM= -----END CERTIFICATE----- subject=/description=328815-ueN64BIOcLRJ4ldH/C=AU/O=Persona Not Validated/OU=StartCom Free Certificate Member/CN=webtest.example.co.uk/emailAddress=webmaster_at_example.co.uk issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA --- No client certificate CA names sent --- SSL handshake has read 5732 bytes and written 703 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: Session-ID-ctx: Master-Key: A02CBA24C40B65FEB3C3A0CFC45C834E11FAF4F6AC7905A452FAA3C400DFE5DFC1783218180ECDA3CE2A083281D8909D Key-Arg : None Start Time: 1312457813 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) --- Obfuscation of IP and FQDNs in above examples. Any ideas how I can get the CAs to be valid? Best wishes, SReceived on Thu Aug 04 2011 - 12:46:45 MDT
This archive was generated by hypermail 2.2.0 : Thu Aug 04 2011 - 12:00:01 MDT