I assume it's fine in general since it works.
I will try to run a request with openssl to see what is the certificate chain
that I'm receiving.
The issue is that it's a special "redirect all" proxy for filtering only
blacklisted domains.
So the squid receives all SSL requests and denies them with a 302 to another
server so it's hard
for me to see in the browser if the chain received is full.
Thanks,
Eliezer
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il
-Original Message-
From: squid-users On Behalf Of Amos
Jeffries
Sent: Sunday, February 24, 2019 10:14
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] | Ignoring non-issuer CA from ... while squid -kparse
On 24/02/19 3:36 pm, eliezer wrote:
> I am testing intermediate certificates and I have just created a key
> and certificate files.
>
> The http line for ssl bump is:
>
> http_port 23128 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl_cert/cert.pem
> key=/etc/squid/ssl_cert/key.pem
>
>
>
> While running squid -kparse I get the next output:
>
> 2019/02/24 04:28:03| Using certificate in /etc/squid/ssl_cert/cert.pem
>
> 2019/02/24 04:28:03| Using certificate chain in /etc/squid/ssl_cert/cert.pem
>
> 2019/02/24 04:28:03| Ignoring non-issuer CA from
> /etc/squid/ssl_cert/cert.pem: /C=IL/ST=Shomron/O=NgTech
> LTD/CN=pxaa13a65c.ngtech.co.il
>
> ## END OF OUTPUT SNIPPET
>
>
> I am not sure how to look at this.
>
> I am almost sure I did something wrong, maybe when I created the root CA
> or the intermidate?
>
Since you are not using a self-signed cert Squid is checking the
cert.pem file to see if any chain CAs exist in there.
Squid found one CA cert in the file and determined that it was not an
Issuer to place in the chain *after* the known signing CA.
Since this is the same file the cert= value came from you should expect
the first thing that it finds is the signing CA cert. That already
exists in the known bit of chain and is not its own Issuer. So should be
skipped.
From your description the root CA was next in the chain and already
configured into the Browser. So you should not see any chain info
actually loaded for this setup. Though if you want to send even the root
CA you could add it to the file and Squid would send the full chain.
There is only a problem if:
* the file being loaded is not one you wanted to load,
or
* the displayed CN is something you did not expect to see in that file, or
* the CA with that CN supposed to be part of the CA chain which
signed/issued your cert= certificate.
- Issuer sequence broken, or
- Issuer sequence missing an entry, or
- CAs not in correct chain order in the file.
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
