So following advice and instructions on this page: http://wiki.squid-cache.org/Features/DynamicSslCert
I have set up my lab with explicit proxy by exporting http_proxy and https_proxy. After creating the self-signed root CA certificate above and creating the .der file for the client, here are my results: >From the squid side: 2015/05/25 10:02:20.161| Using certificate in /opt/etc/squid/certs/SquidCA.pem 2015/05/25 10:02:20.170| support.cc(1743) readSslX509CertificatesChain: Certificate is self-signed, will not be chained I get the below when I don't specify a CA with curl, otherwise when I do I get no error: 2015/05/25 09:21:02.229| Error negotiating SSL connection on FD 12: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0) And from the client side: root@kali:~/test# curl -v https://mail.slave-tothe-box.net * About to connect() to proxy 192.168.1.9 port 3129 (#0) * Trying 192.168.1.9... * connected * Connected to 192.168.1.9 (192.168.1.9) port 3129 (#0) * Establish HTTP proxy tunnel to mail.slave-tothe-box.net:443 > CONNECT mail.slave-tothe-box.net:443 HTTP/1.1 > Host: mail.slave-tothe-box.net:443 > User-Agent: curl/7.26.0 > Proxy-Connection: Keep-Alive > * Easy mode waiting response from proxy CONNECT < HTTP/1.1 200 Connection established < * Proxy replied OK to CONNECT request * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS alert, Server hello (2): * SSL certificate problem: self signed certificate in certificate chain * Closing connection #0 And testing with specifying the .der file: root@kali:~/test# curl --cacert /etc/ssl/certs/SquidCA.der -v https://mail.slave-tothe-box.net * About to connect() to proxy 192.168.1.9 port 3129 (#0) * Trying 192.168.1.9... * connected * Connected to 192.168.1.9 (192.168.1.9) port 3129 (#0) * Establish HTTP proxy tunnel to mail.slave-tothe-box.net:443 > CONNECT mail.slave-tothe-box.net:443 HTTP/1.1 > Host: mail.slave-tothe-box.net:443 > User-Agent: curl/7.26.0 > Proxy-Connection: Keep-Alive > * Easy mode waiting response from proxy CONNECT < HTTP/1.1 200 Connection established < * Proxy replied OK to CONNECT request * error setting certificate verify locations: CAfile: /etc/ssl/certs/SquidCA.der CApath: /etc/ssl/certs * Closing connection #0 curl: (77) error setting certificate verify locations: CAfile: /etc/ssl/certs/SquidCA.der CApath: /etc/ssl/certs I can confirm that the server is using a bona-fide certificate issued from StartSSL and works, so at this point I'm open to suggestions. Thank you. James
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users