TL:DR; Squid v5.7 is not including the Issuer in the generated certificate
In the past I've been able to do HTTPS data caching by:
- building squid with:
VERSION='4.11' ./configure --with-openssl --enable-ssl-crtd' ... - And creating a self signed certificate
sudo openssl req -new -newkey rsa:2048 -nodes \ -x509 -sha256 -extensions v3_ca -days 365 \ -keyout squid-ca-key.pem -out squid-ca-cert.pem \ -subj "/C=AU/ST=WA/L=Perth/O=ACME Pty Ltd/OU=Innovation/CN=squid.d2i.net.au/[email protected]" changing ownership to the proxy user
squid(redhat) orproxy(ubuntu)And setting the
squid.confwith:
http_port 3128 \ ssl-bump \ generate-host-certificates=on \ dynamic_cert_mem_cache_size=4MB \ cert=/opt/squid-4.11/certs/squid-ca-cert-key.pem sslcrtd_program /opt/squid-4.11/lib/security_file_certgen \ -s /opt/squid-4.11/var/swap/ssl_db -M 16MB acl step1 at_step SslBump1 ssl_bump peek step1 ssl_bump bump all ssl_bump splice all However the settings recently with Squid v5.7 has been causing me difficulty as Squid, although generating certificates dynamically has been leaving the Issuer: value blank. As you can see from the openssl s_client output: 
A full example of downloading a file is:
openssl s_client \ -proxy squid.d2i.net.au:3128 -servername github.com \ -connect https://github.com/neovim/neovim/releases/download/v0.4.4/nvim-linux64.tar.gz 
Are there any ideas why the Squid Service might not be providing a valid Certificate back to my client? Services like curl are returning errors like this:
sudo curl --proxy squid.d2i.net.au:3128 https://github.com curl: (60) SSL: couldn't get X509-issuer name More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.
