Re: [squid-users] HTTPS_PORT AND SSL CERT
Yes, that's what i did. As I explained before, i provided to squid a pem file containing: * sever key * server cert * intermediate cert with in squid.conf: https_port 8443 tls-cert=path/to/my/wildcard.pem I did not try to add root cert as i'm aware it's not necessary I've spent so many hours on something that should work quickly.. De : squid-users de la part de Matus UHLAR - fantomas Envoyé : jeudi 28 mai 2020 10:12 À : squid-users@lists.squid-cache.org Objet : Re: [squid-users] HTTPS_PORT AND SSL CERT On 28.05.20 06:32, Julien TEHERY wrote: >I retried everything possible in terms of order in the pem file. from my >workstation, if i do "openssl s_client -showcerts -connect >mysquid.mycompany.com:8443" i only get one certificate/issuer, but the same >command on same server but different port (apache listenning on 443), i >correctly get 2 certificates/issuers: > >I precise my https configuration isn't for ssl_bump purpose but only to >provide secure access to the http proxy through the WAN with a valid >certificate. >Do you some of you use complete certificates (including intermediate) with >squid? If yes please tell me how you made it work. >I do have the latest stable squid version built with openssl support. you apparnetly need ptovide concatenated list of your squid certificate and intermediate certificate that signed your squid certificate. You don't need to provide the root certificate that signed intermediate certificate, since browsers to have that certificate installed (otherwise they wouldn't trust the certificate at all). -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. - Have you got anything without Spam in it? - Well, there's Spam egg sausage and Spam, that's not got much Spam in it. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] HTTPS_PORT AND SSL CERT
On 28.05.20 06:32, Julien TEHERY wrote: I retried everything possible in terms of order in the pem file. from my workstation, if i do "openssl s_client -showcerts -connect mysquid.mycompany.com:8443" i only get one certificate/issuer, but the same command on same server but different port (apache listenning on 443), i correctly get 2 certificates/issuers: I precise my https configuration isn't for ssl_bump purpose but only to provide secure access to the http proxy through the WAN with a valid certificate. Do you some of you use complete certificates (including intermediate) with squid? If yes please tell me how you made it work. I do have the latest stable squid version built with openssl support. you apparnetly need ptovide concatenated list of your squid certificate and intermediate certificate that signed your squid certificate. You don't need to provide the root certificate that signed intermediate certificate, since browsers to have that certificate installed (otherwise they wouldn't trust the certificate at all). -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. - Have you got anything without Spam in it? - Well, there's Spam egg sausage and Spam, that's not got much Spam in it. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] HTTPS_PORT AND SSL CERT
I retried everything possible in terms of order in the pem file. from my workstation, if i do "openssl s_client -showcerts -connect mysquid.mycompany.com:8443" i only get one certificate/issuer, but the same command on same server but different port (apache listenning on 443), i correctly get 2 certificates/issuers: I precise my https configuration isn't for ssl_bump purpose but only to provide secure access to the http proxy through the WAN with a valid certificate. Do you some of you use complete certificates (including intermediate) with squid? If yes please tell me how you made it work. I do have the latest stable squid version built with openssl support. If squid isn't able to do that, as we do with so many other softwares, I should consider to use an haproxy server or apache reverse proxy in front of the squid to handle correctly the SSL cert. Regards, De : Julien TEHERY Envoyé : mercredi 27 mai 2020 09:54 À : Amos Jeffries ; squid-users@lists.squid-cache.org Objet : RE: [squid-users] HTTPS_PORT AND SSL CERT Unfortunately, i've just compiled/ and built deb packages a fresh new squid 4.11 Now SSL support should be fully operational, but the certificate i still not showing the intermediate. I just tried https_port 8443 tls-cert=/etc/squid/wildcard.mycompany.com.pem where in the pem file i have in this precise order: * cert key * server cert * intermediate cert openssl client shows only the cert issuer, as it should show both. Did I missed something ? On 26/05/20 7:24 pm, Julien TEHERY wrote: > To make it work all the time i had to add my intermediate certificate > (thawte) in the local store, so that means intermediate certificate has > not been delivered by the squid server as it should. The experimental GnuTLS support in Debian package does not yet support certificate chains. That is still some ways off. For now if there is a chain with intermediate certificates you still need to use an OpenSSL build of Squid. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] HTTPS_PORT AND SSL CERT
Unfortunately, i've just compiled/ and built deb packages a fresh new squid 4.11 Now SSL support should be fully operational, but the certificate i still not showing the intermediate. I just tried https_port 8443 tls-cert=/etc/squid/wildcard.mycompany.com.pem where in the pem file i have in this precise order: * cert key * server cert * intermediate cert openssl client shows only the cert issuer, as it should show both. Did I missed something ? On 26/05/20 7:24 pm, Julien TEHERY wrote: > To make it work all the time i had to add my intermediate certificate > (thawte) in the local store, so that means intermediate certificate has > not been delivered by the squid server as it should. The experimental GnuTLS support in Debian package does not yet support certificate chains. That is still some ways off. For now if there is a chain with intermediate certificates you still need to use an OpenSSL build of Squid. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] HTTPS_PORT AND SSL CERT
It's allready the case, the server as a public IP and a valid cert. As Amos says, it is related to the gnutls implementation which is experimental. squid has to be built with openssl to support chain certificates. De : Ronan Lucio Envoyé : mercredi 27 mai 2020 02:10 À : Julien TEHERY Cc : squid-users@lists.squid-cache.org Objet : Re: [squid-users] HTTPS_PORT AND SSL CERT If your server listens on a public IP, you can use a valid certificate. On Tue, May 26, 2020 at 7:24 PM Julien TEHERY wrote: > > Hi there, > > I'm actually facing a problem with Squid 4.6-1 (Debian 10). > I'm using squid with https_port directive, using an SSL certficate ( a true > one, not self signed) > > Here is the simple setup: > > https_port X.X.X.X:8443 tls-cert=/etc/squid/mywildcard.com.pem > > The fact is that setup works for all firefox version using a proxy.pac file > for HTTPS connexions to the squid server. > But for chrome this is quite different. Indeed chrome uses the system's proxy > settings and i noticed that sometimes it would work and sometinles it would > fail. > To make it work all the time i had to add my intermediate certificate > (thawte) in the local store, so that means intermediate certificate has not > been delivered by the squid server as it should. > > The pem file in the above setup allreadycontains this (pem file done by > concatenating private key, cert, intermediate and root CA. I also tried the > following syntax: > > https_port X.X.X.X:8443 cert=/etc/squid/mywildcard..com.cer > key=/etc/squid/mywildcard.com.key > cafile=/etc/squid/mywildcard..com-intermediaire.txt > > but each time i try to see with openssl client if my intermediate is > delivered, it's not > I use "openssl s_client -showcerts -connect myproxy.com:8443" > > If i do the same thing on an apache server with the same certificate files i > can see both certificate and intermediate. Why squid isn't able to show it, > did i miss something ? > > > Thanks for your help > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] HTTPS_PORT AND SSL CERT
If your server listens on a public IP, you can use a valid certificate. On Tue, May 26, 2020 at 7:24 PM Julien TEHERY wrote: > > Hi there, > > I'm actually facing a problem with Squid 4.6-1 (Debian 10). > I'm using squid with https_port directive, using an SSL certficate ( a true > one, not self signed) > > Here is the simple setup: > > https_port X.X.X.X:8443 tls-cert=/etc/squid/mywildcard.com.pem > > The fact is that setup works for all firefox version using a proxy.pac file > for HTTPS connexions to the squid server. > But for chrome this is quite different. Indeed chrome uses the system's proxy > settings and i noticed that sometimes it would work and sometinles it would > fail. > To make it work all the time i had to add my intermediate certificate > (thawte) in the local store, so that means intermediate certificate has not > been delivered by the squid server as it should. > > The pem file in the above setup allreadycontains this (pem file done by > concatenating private key, cert, intermediate and root CA. I also tried the > following syntax: > > https_port X.X.X.X:8443 cert=/etc/squid/mywildcard..com.cer > key=/etc/squid/mywildcard.com.key > cafile=/etc/squid/mywildcard..com-intermediaire.txt > > but each time i try to see with openssl client if my intermediate is > delivered, it's not > I use "openssl s_client -showcerts -connect myproxy.com:8443" > > If i do the same thing on an apache server with the same certificate files i > can see both certificate and intermediate. Why squid isn't able to show it, > did i miss something ? > > > Thanks for your help > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] HTTPS_PORT AND SSL CERT
On 26/05/20 7:24 pm, Julien TEHERY wrote: > To make it work all the time i had to add my intermediate certificate > (thawte) in the local store, so that means intermediate certificate has > not been delivered by the squid server as it should. The experimental GnuTLS support in Debian package does not yet support certificate chains. That is still some ways off. For now if there is a chain with intermediate certificates you still need to use an OpenSSL build of Squid. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] HTTPS_PORT AND SSL CERT
Hi there, I'm actually facing a problem with Squid 4.6-1 (Debian 10). I'm using squid with https_port directive, using an SSL certficate ( a true one, not self signed) Here is the simple setup: https_port X.X.X.X:8443 tls-cert=/etc/squid/mywildcard.com.pem The fact is that setup works for all firefox version using a proxy.pac file for HTTPS connexions to the squid server. But for chrome this is quite different. Indeed chrome uses the system's proxy settings and i noticed that sometimes it would work and sometinles it would fail. To make it work all the time i had to add my intermediate certificate (thawte) in the local store, so that means intermediate certificate has not been delivered by the squid server as it should. The pem file in the above setup allreadycontains this (pem file done by concatenating private key, cert, intermediate and root CA. I also tried the following syntax: https_port X.X.X.X:8443 cert=/etc/squid/mywildcard..com.cer key=/etc/squid/mywildcard.com.key cafile=/etc/squid/mywildcard..com-intermediaire.txt but each time i try to see with openssl client if my intermediate is delivered, it's not I use "openssl s_client -showcerts -connect myproxy.com:8443" If i do the same thing on an apache server with the same certificate files i can see both certificate and intermediate. Why squid isn't able to show it, did i miss something ? Thanks for your help ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
