Hi, all I am trying to setup MS webmail over rpc Exchange server access through squid (squid 3.1.19, SPARC, Solaris 10) from internet. Here is my pilot squid configuration (squid.conf): https_port 156.146.2.196:443 accel cert=/opt/squid-3.1.19/ssl.crt/webmail_juicycouture_com.crt key=/opt/squid-3.1.19/ssl.crt/webmail_juicycouture_com.key cafile=/opt/apache2.2.21/conf/ssl.crt/DigiCertCA.crt defaultsite=webmail.juicycouture.com cache_peer 10.150.2.15 parent 443 0 no-query originserver login=PASS ssl sslcert=/opt/squid-3.1.19/ssl.crt/webmail_katespade_com.crt sslkey=/opt/squid-3.1.19/ssl.crt/webmail_katespade_com.key sslcafile=/opt/apache2.2.21/conf/ssl.crt/DigiCertCA.crt name=exchangeServer cache_peer_access exchangeServer allow all http_access allow all miss_access allow all >From the access log of squid: 1337723055.845 7 207.46.14.63 TCP_MISS/503 3905 RPC_IN_DATA https://webmail.juicycouture.com/rpc/rpcproxy.dll - FIRST_UP_PARENT/exchangeServer text/html 1337723055.934 5 207.46.14.63 TCP_MISS/503 3932 RPC_IN_DATA https://webmail.juicycouture.com/rpc/rpcproxy.dll - FIRST_UP_PARENT/exchangeServer text/html >From the cache.log of the squid: 2012/05/22 17:33:28| Starting Squid Cache version 3.1.19 for sparc-sun-solaris2.10... 2012/05/22 17:33:28| Process ID 7071 2012/05/22 17:33:28| With 256 file descriptors available 2012/05/22 17:33:28| Initializing IP Cache... 2012/05/22 17:33:28| DNS Socket created at [::], FD 8 2012/05/22 17:33:28| DNS Socket created at 0.0.0.0, FD 9 2012/05/22 17:33:28| Adding domain fifthandpacific.com from /etc/resolv.conf 2012/05/22 17:33:28| Adding nameserver 12.127.17.71 from /etc/resolv.conf 2012/05/22 17:33:28| Adding nameserver 12.127.16.67 from /etc/resolv.conf 2012/05/22 17:33:28| Adding nameserver 156.146.2.190 from /etc/resolv.conf 2012/05/22 17:33:28| Unlinkd pipe opened on FD 14 2012/05/22 17:33:28| Store logging disabled 2012/05/22 17:33:28| Swap maxSize 0 + 262144 KB, estimated 20164 objects 2012/05/22 17:33:28| Target number of buckets: 1008 2012/05/22 17:33:28| Using 8192 Store buckets 2012/05/22 17:33:28| Max Mem size: 262144 KB 2012/05/22 17:33:28| Max Swap size: 0 KB 2012/05/22 17:33:28| Using Least Load store dir selection 2012/05/22 17:33:28| Current Directory is /opt/squid-3.1.19/var/logs 2012/05/22 17:33:28| Loaded Icons. 2012/05/22 17:33:28| Accepting HTTPS connections at 156.146.2.196:443, FD 15. 2012/05/22 17:33:28| HTCP Disabled. 2012/05/22 17:33:28| Configuring Parent 10.150.2.15/443/0 2012/05/22 17:33:28| Squid plugin modules loaded: 0 2012/05/22 17:33:28| Ready to serve requests. 2012/05/22 17:33:29| storeLateRelease: released 0 objects -----BEGIN SSL SESSION PARAMETERS----- MIGNAgEBAgIDAQQCAC8EIAj2TdmdLmNKL8/+V0D37suIYsli5OZLvCZu6u1+voNA BDAy5uGQ23i/G+ozoVu/RDjm8yMq3zAJAWiXKz+U537Fd5uMDJeCmo30/cy9WPeF 6fmhBgIET7wIr6IEAgIBLKQCBACmGgQYd2VibWFpbC5qdWljeWNvdXR1cmUuY29t -----END SSL SESSION PARAMETERS----- -----BEGIN SSL SESSION PARAMETERS----- MIGNAgEBAgIDAQQCAC8EILcgJcTbarlfw3jpifpmpBZQpBYheYouh2NZp9eoPJUy BDBs6l+2LMOMI4D/RPQG3mOYbZ7OBcpanTJFaa8zCBV4s6AxtTpIFL2LnxRoJ0uB I/WhBgIET7wIr6IEAgIBLKQCBACmGgQYd2VibWFpbC5qdWljeWNvdXR1cmUuY29t -----END SSL SESSION PARAMETERS----- 2012/05/22 17:44:15| fwdNegotiateSSL: Error negotiating SSL connection on FD 13: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0) 2012/05/22 17:44:15| TCP connection to 10.150.2.15/443 failed 2012/05/22 17:44:15| fwdNegotiateSSL: Error negotiating SSL connection on FD 13: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0) >From the packet capture, the internal Exchange server reset the connection from the squid proxy server by either "Alert (Level: Fatal, Description: Unknown CA)" when I used above official certificates or "Alert (Level: Fatal, Description: Certificate Unknown) when I used internal CA signed certificate after initial https handshaking between squid and exchange server through https connection. Can anyone tell me how do I correctly configure cache_peer statement to make it work? Thanks in advance. Ryan Jiang This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited.
