Hi maybe i understood something wrong but I'm trying to do the following setup with squid 2.6.STABLE7 and couldn't find anything related to my errors and problems: wished setup: client --ssl (cacert signed)--> squid (reverse) --ssl (selfsigned)--> apache however i always get the squid error page with: "(71) protocol error" and that the connection to the apache couldn't be established. while accessing this setup with the browser. In the squid cache.log i get this error several times: 2007/03/09 13:39:43| SSL unknown certificate error 18 in /C=CH/ST=Some-State/L=World/O=foo/OU=bar/CN=some.host.com/emailAddress=root@xxxxxxxxxxxxx 2007/03/09 13:39:43| fwdNegotiateSSL: Error negotiating SSL connection on FD 15: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0) however if I use on the apache the cacert signed cert as I have it on the reverse squid host it works perfectly and i can access the sites through the squid. so this setup works: client --ssl (cacert signed)--> squid (reverse) --ssl (cacert signed (same cert))--> apache (except this error in cache.log: 2007/03/09 13:41:53| fwdNegotiateSSL: Error negotiating SSL connection on FD 16: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol (1/-1/0) ) to create the self signed cert i used: openssl req -new -newkey rsa:1024 -nodes -x509 -keyout foo_key.pem -out foo.pem -days 3600 and accessing this directly is no problem except the normal warning due to the self signed cert. so https works with that cert on apache. well for me it is clear that squid cannot verify the cert as it is self signed. however i'd like to tell squid that it should accept this cert, not try to verify it or whatever to be possible to use it. But I couldn't find such an option for the https_port option. I also tried to make an own CA and then use a cert signed by this and add the own CA cert to the https_port with the cafile=/path/ option. However this changes only the unknown ssl error from 18 to 20. For me also the following setup would work: client --ssl (cacert signed)--> squid (reverse) ---http--> apache by using the protocol=http option, which is also working. However this makes it impossible to have different sites served by https or http as well it makes the site that should be https-only also accessible by http-only. If i could change this behaviour with any other options/tricks this would be nice. As I mentioned at the beginning it might be that I understood reverse, https and certs wrong. However in my opinion the first wished setup should work and I only have that problem of self signed certs. Is it possible to avoid this problem, and use a different (self signed) cert on the apache? thanks for your answers and greets pete ps: please cc me, as i'm currently not on the list, so I get anyway the mails till I subscribed. thanks.
