On 3/03/2012 7:57 a.m., Yucong Sun (叶雨飞) wrote:
Hi,
I've been trying to use a SSL connection to an parent squid proxy, and
the child squid always fails even I specifically asked it to stop
verifying stuff
The child verifying the parent? or the parent verifying the child?
SSL is designed not to allow problems to go unseen, so validation
happens at both ends. You can only control what Squid (child) verifies
from squid.conf.
here's the relevant config on child
sslproxy_cert_error allow all
This makes Squid completely ignore all server errors when negotiating TLS.
You should not need it unless the server certificate is malformed.
sslproxy_flags DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN
These are for controlling the DIRECT access TLS connections.
cache_peer x.x.x.x parent 8443 0 no-digest no-query default ssl
sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN,NO_DEFAULT_CA
sslcert=ssl.pem sslkey=ssl.key
This is what is affecting the peer.
If we assume your ssl.pem and ssl.key are valid, it could still be the
peer rejecting them.
and this appears in the cache.log
2012/03/03 02:50:51| fwdNegotiateSSL: Error negotiating SSL connection
on FD 11: error:00000000:lib(0):func(0):reason(0) (5/-1/104)
I've verified the parent side works fine, in fact, the server side has
been implemented using stunnel and it works fine if I setup stunnel in
local and tunnel squid through it.
Same ssl.pem/ssl.key certificates used by that test stunnel and this Squid?
Second question is whether you need ssl.pem/ssl.key at all?
SSL auto-generates random client certificates as needed if you only
specify "ssl" option to cache_peer.
It is common to only specify cache_peer options "ssl
sslflags=DONT_VERIFY_PEER " to have an auto-generated client
certificate, and ignore self-signed certificates from the peer.
Amos
