> -----Original Message----- > From: Henrik Nordstrom [mailto:henrik@xxxxxxxxxxxxxxxxxxx] > Sent: Monday, October 05, 2009 4:48 AM > To: Dean Weimer > Cc: squid-users@xxxxxxxxxxxxxxx > Subject: Re: SSL Reverse Proxy testing With Invalid > Certificate, can it be done. > > fre 2009-09-25 klockan 10:57 -0500 skrev Dean Weimer: > > > 2009/09/25 11:38:07| SSL unknown certificate error 18 in... > > 2009/09/25 11:38:07| fwdNegotiateSSL: Error negotiating SSL > connection on FD 15: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0) > > This is your Squid trying to use SSL to connect to the requested > server. > Not related to the http_port certificate settings. > > validation requirements on peer certificates is set in cache_peer. > > Regards > Henrik I was running Squid 3.0.STABLE19 on the test system. Here are the configuration lines from the original test. At one point I had added cert lines on the cache_peer before realizing that those were only for use when certificate authentication was needed on the parent. I can't remember for sure if the log was copied form when I had those options on or not, I still had an invalid certificate error after removing them but it may have been a different error number. https_port 443 accel cert=/usr/local/squid/etc/certs/server.crt key=/usr/local/squid/etc/certs/server.key defaultsite=mysite vhost cache_peer 1.2.3.4 parent 443 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN name=secure_mysite My production server is a couple revisions behind, currently running STABLE17, it will be updated to 19 this coming weekend. I did not test it with the fake certificate. Thanks, Dean Weimer Network Administrator Orscheln Management Co
