On 31/01/2013 4:47 p.m., John Xue wrote:
> Hi,
>
> I'm using ssl-bump in my forward proxy squid3.2.3, I try to access
> https://centos.org, I get this error:
>
Firstly please upgrade to at least 3.2.6.
If possible please upgrade to squid-3.3 release series. They are
currently still in beta but work far better than 3.2 stable series does.
> (71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
>
> SSL Certficate error: certificate issuer (CA) not known:
> /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com,
> Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure
> Certification Authority/serialNumber=07969287
>
> But when I bypass proxy access this site in IE9, it's ok, so I
> think the problem is ssl-bump proxy, no the untrust ssl certficate.
You are forging a certificate. Injecting it into the SSL traffic flow.
Decrypting that traffic flow. Then re-encrypting the outbound traffic
with a different client certificate.
"What could possibly go wrong?"
As it happens "certificate issuer (CA) not known" is happening.
Probably your CA key is not installed on that client machine.
>
> This is my configure:
> http_port 3128 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/cert.pem
> key=/usr/local/squid/etc/key.pem
> sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s
> /usr/local/squid/var/ssl_db -M 4MB
>
> --
> Regards,
> John Xue
Received on Thu Jan 31 2013 - 05:54:31 MST
This archive was generated by hypermail 2.2.0 : Thu Jan 31 2013 - 12:00:04 MST