[squid-users] HTTPS Proxy

[Stuart Henderson]

On 2025-10-07, Alex Rousskov <rousskov at measurement-factory.com> wrote:
> On 2025-10-07 14:01, John Brayton wrote:
>> Yes, curl trusts the same wildcard certificate when it is
>> presented by an nginx server.
>
> How do you know that curl sees the same certificate chain in both tests?
>
> I am guessing that you have tried to use the same certificate chain in 
> both Squid and nginx configurations, but the question is about what curl 
> sees/gets.
>
> It is unlikely that curl would receive the same certificate chain but 
> only trust the chain "presented by an nginx server". Most likely, 
> something differs in those two chains/cases. For example, nginx sends an 
> intermediate certificate as a part of that chain while Squid does not. 
> Or the order of certificates in that chain differs. The pointers in my 
> earlier response may help you tease out that critical difference.

Output from the following two commands may throw light on the situation:

openssl s_client -connect proxyhost:8888
http_proxy=https://proxyhost:8888/ curl -v http://www.squid-cache.org/

In my case, testing on a box which has squid 6.14 installed, compiled
using --with-openssl against libressl libraries, with the server cert
file listed in https_port "tls-cert" containing first the cert for the
server, and second the intermediate cert from the CA (no root CA cert in
the file), squid presents the correct server and intermediate cert, curl
verifies the server as expected, but the client connection is rejected
by the server after the request was made unless it provides a client
cert.

If I then add sslflags=CONDITIONAL_AUTH to the https_port line, the
connection is accepted regardless of whether the client presents a cert.

You may see different results depending on at least the TLS library
and order and contents of the certificate file.

-- 
Please keep replies on the mailing list.