On Fri, Mar 2, 2012 at 5:03 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > On 3/03/2012 7:57 a.m., Yucong Sun (叶雨飞) wrote: >> >> Hi, >> >> I've been trying to use a SSL connection to an parent squid proxy, and >> the child squid always fails even I specifically asked it to stop >> verifying stuff > > > The child verifying the parent? or the parent verifying the child? > SSL is designed not to allow problems to go unseen, so validation happens at > both ends. You can only control what Squid (child) verifies from squid.conf. It looks like the child is verifying parent, because server side is a stunnel and we have other client talking to it without issue. > > >> >> here's the relevant config on child >> >> sslproxy_cert_error allow all > > This makes Squid completely ignore all server errors when negotiating TLS. > You should not need it unless the server certificate is malformed. > >> sslproxy_flags DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN > > > These are for controlling the DIRECT access TLS connections. Year, these should not be needed, but I am so desperate so I included them here. > > >> cache_peer x.x.x.x parent 8443 0 no-digest no-query default ssl >> sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN,NO_DEFAULT_CA >> sslcert=ssl.pem sslkey=ssl.key > > > This is what is affecting the peer. > > If we assume your ssl.pem and ssl.key are valid, it could still be the peer > rejecting them. It doesn't work without the cert/key either. > > >> >> and this appears in the cache.log >> >> 2012/03/03 02:50:51| fwdNegotiateSSL: Error negotiating SSL connection >> on FD 11: error:00000000:lib(0):func(0):reason(0) (5/-1/104) >> >> I've verified the parent side works fine, in fact, the server side has >> been implemented using stunnel and it works fine if I setup stunnel in >> local and tunnel squid through it. > > > Same ssl.pem/ssl.key certificates used by that test stunnel and this Squid? yes, the server are not verifying the client cert/key either. > > Second question is whether you need ssl.pem/ssl.key at all? > SSL auto-generates random client certificates as needed if you only specify > "ssl" option to cache_peer. > It is common to only specify cache_peer options "ssl > sslflags=DONT_VERIFY_PEER " to have an auto-generated client certificate, > and ignore self-signed certificates from the peer. that's what I originally thought , but it actually don't parse if I don't have those two there. So look like something is missing in the ssl part that cause it still tries to verify the server cert, I switched the parent to a valid cert and it all starts to work, how can I trace this ? Cheers. > > Amos
