On Thu, 27 Jan 2011 00:21:32 +0000, smudly Quickhands <smudly@xxxxxxxxxxx> wrote: > Thanks for the previous post I made the suggested changes to squid.conf > but I still can not connect. Now on the Web browser I am getting Failed to > establish a secure connection to owaServer The system returned (71) > Protocol error > > On the squid server I am seeing a bunch of the following > fwdNegotiateSSL: Error negotiating SSL connection on FD 12: error: > 14090086: SSL routines:SSL#_GET_SERVER_CERTIFICATE: certificate verify > failed (1/-1/0) > > Is this a configuration error with Squid or an issue with my > certificates. I have one SSL certificate for mail.myco.com which I > purchased for the Exchange server. Following the instructions in a > previous post I exported the certificate on the Exchange Server, copied the > pfx file to the Squid server and used openSSL to convert it to a private > pem file which I stored in etc/ssl/private , a public pem file which I > stored in etc/ssl/certs and a server.key file is stored in etc/ssl > > below is the current squid.conf file > > acl manager proto cache_object > acl localhost src 127.0.0.1/32 ::1 > acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 > > acl localnet src 25.0.0.0/8 # RFC1918 possible internal network > > acl SSL_ports port 443 > acl Safe_ports port 80  # http > acl Safe_ports port 443  # https > acl Safe_ports port 25  # > acl CONNECT method CONNECT > > http_access allow manager localhost > http_access deny manager > > http_access deny !Safe_ports > > http_access deny CONNECT !SSL_ports > > https_port 25.36.2.33:443 accel cert=/etc/ssl/certs/mail.myco.com.pem > key=/etc/ssl/server.key defaultsite=mail.myco.com > cache_peer 25.36.2.32 parent 443 0 no-query originserver login=PASS ssl > sslcert=/etc/ssl/certs/mail.myco.com.pem sslkey=/etc/ssl/server.key > name=owaServer > ** I tried the above line with connection-auth=on (and off) > The sslcert= parameter on cache_peer is the client cert to be used by Squid when contacting that server. This is different to the server cert used on https_port and often self-generated. The only key thing is that the OWA server accepts it as valid. I've updated the wiki example a bit to make it clearer: http://wiki.squid-cache.org/ConfigExamples/Reverse/OutlookWebAccess Amos
