[prev in list] [next in list] [prev in thread] [next in thread] 

List:       squid-users
Subject:    Re: [squid-users] ssl-bump can't access trust ssl certficate site
From:       Amos Jeffries <squid3 () treenet ! co ! nz>
Date:       2013-01-31 5:54:20
Message-ID: 510A070C.4000005 () treenet ! co ! nz
[Download RAW message or body]

On 31/01/2013 4:47 p.m., John Xue wrote:
> Hi,
>
>     I'm using ssl-bump in my forward proxy squid3.2.3, I try to access
> https://centos.org, I get this error:
>

Firstly please upgrade to at least 3.2.6.

If possible please upgrade to squid-3.3 release series. They are 
currently still in beta but work far better than 3.2 stable series does.

>      (71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
>
>      SSL Certficate error: certificate issuer (CA) not known:
> /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com,
> Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure
> Certification Authority/serialNumber=07969287
>
>      But when I bypass proxy access this site in IE9, it's ok, so I
> think the problem is ssl-bump proxy, no the untrust ssl certficate.

You are forging a certificate. Injecting it into the SSL traffic flow. 
Decrypting that traffic flow. Then re-encrypting the outbound traffic 
with a different client certificate.
"What could possibly go wrong?"

As it happens "certificate issuer (CA) not known" is happening.

Probably your CA key is not installed on that client machine.


>
>      This is my configure:
>      http_port 3128 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/cert.pem
> key=/usr/local/squid/etc/key.pem
>      sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s
> /usr/local/squid/var/ssl_db -M 4MB
>
> --
> Regards,
> John Xue

[prev in list] [next in list] [prev in thread] [next in thread]