[squid-users] ssl-bump can't access trust ssl certficate site

From: John Xue <xgxjohn_at_gmail.com>
Date: Thu, 31 Jan 2013 11:47:04 +0800

Hi,

   I'm using ssl-bump in my forward proxy squid3.2.3, I try to access
https://centos.org, I get this error:

    (71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)

    SSL Certficate error: certificate issuer (CA) not known:
/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com,
Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure
Certification Authority/serialNumber=07969287

    But when I bypass proxy access this site in IE9, it's ok, so I
think the problem is ssl-bump proxy, no the untrust ssl certficate.

    This is my configure:
    http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/cert.pem
key=/usr/local/squid/etc/key.pem
    sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s
/usr/local/squid/var/ssl_db -M 4MB

--
Regards,
John Xue
Received on Thu Jan 31 2013 - 03:47:10 MST

This archive was generated by hypermail 2.2.0 : Thu Jan 31 2013 - 12:00:04 MST