Hi, I have setup Squid as a SSL MITM proxy. I am also using the cert download feature with these configurations in my squid.conf
acl cert_fetch transaction_initiator certificate-fetching http_access allow cert_fetch Websites where certificates just share AIA information using CA-issuer method, those work just fine. But try this one, https://community.verizonwireless.com/welcome (this gets bumped in my setup) Here the AIA information Is provided using both OCSP/CAissuer methods. >From Squid's access logs, I can tell that the certificate gets downloaded. 1526964147.929 160 - TCP_MISS/200 1868 GET http://cacert.omniroot.com/vpssg142.crt - HIER_DIRECT/64.18.25.46 application/x-x509-ca-cert But squid still reports: (71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) SSL Certficate error: certificate issuer (CA) not known: /C=NL/L=Amsterdam/O=Verizon Enterprise Solutions/OU=Cybertrust/CN=Verizon Public SureServer CA G14-SHA2 That is the only intermediate certificate needed in the chain. Here: https://www.ssllabs.com/ssltest/analyze.html?d=community.verizonwireless.com&latest When I download the intermediate certificate locally and try connecting to the remote server using openssl -Cafile option, Openssl reports OK (0). openssl s_client -connect 204.93.84.201:443 -showcerts -CAfile vpssg142.crt -servername community.verizon.com >> Verify return code: 0 (ok) Regards, Sarfaraz
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
