Search squid archive

Re: Error to test connectivity to internal MS Exchange server

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 23/05/2012 10:08 a.m., Ruiyuan Jiang wrote:

Hi, all

I am trying to setup MS webmail over rpc Exchange server access through squid (squid 3.1.19, SPARC, Solaris 10) from internet. Here is my pilot squid configuration (squid.conf):

https_port 156.146.2.196:443 accel cert=/opt/squid-3.1.19/ssl.crt/webmail_juicycouture_com.crt key=/opt/squid-3.1.19/ssl.crt/webmail_juicycouture_com.key cafile=/opt/apache2.2.21/conf/ssl.crt/DigiCertCA.crt defaultsite=webmail.juicycouture.com

cache_peer 10.150.2.15 parent 443 0 no-query originserver login=PASS ssl sslcert=/opt/squid-3.1.19/ssl.crt/webmail_katespade_com.crt sslkey=/opt/squid-3.1.19/ssl.crt/webmail_katespade_com.key sslcafile=/opt/apache2.2.21/conf/ssl.crt/DigiCertCA.crt name=exchangeServer

<snip>

2012/05/22 17:44:15| fwdNegotiateSSL: Error negotiating SSL connection on FD 13: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0)
2012/05/22 17:44:15| TCP connection to 10.150.2.15/443 failed
2012/05/22 17:44:15| fwdNegotiateSSL: Error negotiating SSL connection on FD 13: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0)

 From the packet capture, the internal Exchange server reset the connection from the squid proxy server by either "Alert (Level: Fatal, Description: Unknown CA)" when I used above official certificates or "Alert (Level: Fatal, Description: Certificate Unknown) when I used internal CA signed certificate after initial https handshaking between squid and exchange server through https connection. Can anyone tell me how do I correctly configure cache_peer statement to make it work?
In case you did not figure this out already... Squid is unable to validate the exchange server certificate using either the openssl libraries trusted CA certificates or the sslcafile= parameter certificate given to verify it with.
* Check that your openSSL library trusted CA are up to date on the Squid machine - this is the most common cause of validation errors.
* Check that your /opt/apache2.2.21/conf/ssl.crt/DigiCertCA.crt file on the Squid machine contains the CA used to sign the exchange servers certificate. 

Amos
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux