First run the command I mentioned to ensure openssl can verify the full
chain for Yahoo.
$ openssl s_client -connect www.yahoo.com:443
../../ca-certificates/extracted/cadir/Verisign_Class_3_Public_Primary_Certification_Authority.pem
If you don't have a symlink that matches the subject hash then
That would explain the error if the Verisign Class 3 public root CA were
missing. However, our Smoothwall Express OS has all the standard root CAs
package found in /usr/ssl/certs. Do I need to tell squid where to find
those certs? If so, what config directive would I use for that?
Thanks!
On Wed,
It looks like you are missing the Verisign Class 3 Public Primary Root cert.
Notice the certificate chain list below.
Yahoo correctly send back all intermediate certificates in the TLS
handshake so the only certificate you need to make sure squid trusts (via
openssl) is the Verisign root.
You shou
Okay, it's not a name of the cert problem.
I turned on extra debug info to see what I get when I remove the
DONT_VERIFY_PEER flag and tried accessing https://www.yahoo.com. This is
what I got in the cache.log. I only see a couple of lines about a
certificate error. Sorry this is long but I didn't
Thanks for the info, Alex. That's very helpful about cleaning up my ACLs.
Those ACLs are a collection of ACLs that others have suggested I use, but
it would be nice to make them less confusing for me.
With my limited understanding of how sslbump works, the idea for squid to
play MITM is that a sel
On 08/03/2016 08:45 AM, Stanford Prescott wrote:
> ssl_bump none localhostgreen
> ssl_bump peek tls_s1_connect all
> ssl_bump splice tls_s2_client_hello tls_to_splice
> ssl_bump stare tls_s2_client_hello all
> ssl_bump bump tls_s3_server_hello all
AFAICT, the above is too complex. You can simplif
I have had my squid implementation for sslbump set up and working for some
time now. I have had several people point out that my use of "sslproxyflags
DONT_VERIFY_PEER" is dangerous from a security standpoint. When I was first
trying to get sslbump working it would not work until I saw a suggestion
