先前在「架設 Proxy over TLS」這邊提到了我用 Squid 架 Proxy over TLS 的服務起來用,本來在家裡跑得好好的,但到了公司發現卻不能用,追蹤後發現是目前 Ubuntu 裡面包的 Squid + GnuTLS 沒有辦法支援 intermediate certificate 的問題,而且有人問過了:「[squid-users] HTTPS_PORT AND SSL CERT」。
這邊先講測試的方法,然後後面再講解法。
測試的方式可以用 openssl s_client -connect hostname:port
測,正常的情況會可以看到兩層。
在這邊的例子裡,R3
簽了 home.gslin.org
,DST Root CA X3
簽了 R3
,而 DST Root CA X3
則在 root certificate 名單中:
$ openssl s_client -connect home.gslin.org:443 depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = home.gslin.org verify return:1 CONNECTED(00000003) --- Certificate chain 0 s:CN = home.gslin.org i:C = US, O = Let's Encrypt, CN = R3 1 s:C = US, O = Let's Encrypt, CN = R3 i:O = Digital Signature Trust Co., CN = DST Root CA X3 ---
如果沒有送出 Intermediate Certificate 的話就會導致信任鏈無法建立,像是我故意設計的 nointermediate.gslin.com
這樣,R3
簽了 nointermediate.gslin.com
,但 R3 並沒有在 root certificate 的名單中:
$ openssl s_client -connect nointermediate.gslin.com:443 CONNECTED(00000003) depth=0 CN = nointermediate.gslin.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = nointermediate.gslin.com verify error:num=21:unable to verify the first certificate verify return:1 depth=0 CN = nointermediate.gslin.com verify return:1 --- Certificate chain 0 s:CN = nointermediate.gslin.com i:C = US, O = Let's Encrypt, CN = R3 ---
而想到的解法就是重新包一份 Squid 出來用,把本來的 --with-gnutls
改成 --with-openssl
。
這邊會先裝 Build-Depends
裡面指定的東西,然後加裝 libssl-dev
,接著換掉 --with-gnutls
後編譯,最後產生 .deb
:
sudo apt install -y ed libltdl-dev pkg-config build-essential cdbs debhelper dpkg-dev lsb-release dh-apparmor libcppunit-dev libcap2-dev libdb-dev libecap3-dev libexpat1-dev libgnutls28-dev libkrb5-dev comerr-dev libldap2-dev libnetfilter-conntrack-dev libpam0g-dev libsasl2-dev libxml2-dev nettle-dev libssl-dev apt-get source squid cd squid/squid-4.10 sed -i -e 's/--with-gnutls/--with-openssl/' debian/rules cd .. dpkg-buildpackage -rfakeroot -uc -b
編好的 .deb
就可以拿到其他機器上裝了,然後就可以吐出 intermediate certificate 了...