Yuri and Amos, thanks for the replies! There is an openssl command that tells where OpenSSL will search for CA certs.
$ openssl version -dOPENSSLDIR: "/etc/pki/tls"On Sat, Feb 7, 2015 at 5:19 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
On 8/02/2015 9:28 a.m., Hector Chan wrote:
> Hi all,
>
> I have a question about the CA file for SSL certificates. If I don't
> specify anything for CA, what is default CA certs that squid will use for
> the cache_peer ?
The ones OpenSSL is configured to use.
>
> Here is a snippet of my config file.
>
> https_port 127.0.0.1:4443 accel \
> cert=/etc/certs/certificate \
> key=/etc/certs/key \
> options=NO_SSLv2,NO_SSLv3
> ...
> cache_peer xyz.example.com parent 443 0 \
> no-query originserver \
> ssl forceddomain= xyz.example.com \
NP: be careful about the whitespace there after forcedomain= .
It will force the domain to be *unset* if the parameter is whitespace.
> login=PASS \
> sslcert=/etc/certs/certificate \
> sslkey=/etc/certs/key \
> ssloptions=NO_SSLv2,NO_SSLv3
In this configuration the peer certificate will be signed by some CA
(maybe you dong self-signing).
You need to add the public key for that CA to the cache_peer like so:
cache_peer ... \
sslcafile=/path/to/xyz.example.com/publicCAkey.pem
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
