> -----Original Message----- > From: Chris Robertson [mailto:crobertson@xxxxxxx] > Sent: Monday, September 28, 2009 4:16 PM > To: squid-users@xxxxxxxxxxxxxxx > Subject: Re: SSL Reverse Proxy testing With Invalid > Certificate, can it be done. > > Dean Weimer wrote: > > I am trying to setup a test with an SSL reverse proxy on an intranet > site, I currently have a fake self signed certificate and the server is > answering on the HTTP side just fine, and answering on the HTTPS > however I get a (92) protocol error returned from the proxy when trying > to access it through HTTPS. > > > > I have added the following lines for the HTTPS option > > > > https_port 443 accel cert=/usr/local/squid/etc/certs/server.crt > key=/usr/local/squid/etc/certs/server.key defaultsite=mysite vhost > > > > cache_peer 10.20.10.76 parent 443 0 no-query originserver ssl > sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN name=secure_mysite > > > > From the log I can see the error is caused by the invalid > certificate. > > > > 2009/09/25 11:38:07| SSL unknown certificate error 18 in... > > 2009/09/25 11:38:07| fwdNegotiateSSL: Error negotiating SSL > connection on FD 15: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0) > > > > Is there a way that I can tell it to go ahead and trust this fake > certificate during testing while I wait for the actual certificate that > is valid, to be issued. > > > > Perhaps http://www.squid-cache.org/Doc/config/sslproxy_flags/ > > > > > Thanks, > > Dean Weimer > > Network Administrator > > Orscheln Management Co > > > > Chris I didn't see that one, though I have the real certificate now and everything is working with it. I figure the sslflags on the cache peer settings should accomplish the same thing, but they didn't seem to make a difference whether I included them or not. Thanks, Dean Weimer Network Administrator Orscheln Management Co
