On 18/02/2015 2:24 p.m., Hector Chan wrote: > Forgot to add. The actual cert is world readable. > > [admin@dsg214 ~]# ll > /data/cacerts/../certs/a4a521af41327a4ab3ff1feb16a1a76888a0c2ea.crt > -rw-r--r-- 1 admin root 1108 Feb 18 00:21 > /data/cacerts/../certs/a4a521af41327a4ab3ff1feb16a1a76888a0c2ea.crt > > On Tue, Feb 17, 2015 at 5:18 PM, Hector Chan <hectorchan@xxxxxxxxx> wrote: > >> Hi All, >> >> I have a question about using sslcapath in cache_peer. My >> server.example.com has a self-signed cert, which I imported into my squid >> box under /data/certs. The following cache_peer line actually worked. >> However, if I remove the sslcafile, squid won't verify the self-signed cert. >> >> cache_peer server.example.com parent 443 0 \ >> no-query originserver ssl \ >> forceddomain=server.example.com \ >> login=PASS \ >> sslcert=/data/certs/certificate sslkey=/data/certs/key \ >> ssloptions=NO_SSLv2,NO_SSLv3 \ >> sslcafile=/data/cacerts/72af835f.0 \ >> sslcapath=/data/cacerts >> >> [admin@dsg214 cacerts]# ls -l >> total 0 >> lrwxrwxrwx 1 admin root 53 Feb 18 00:22 35fa123a.0 -> >> ../certs/a4a521af41327a4ab3ff1feb16a1a76888a0c2ea.crt >> >> Running openssl command from the squid box verified the certificate chain >> ok with the -CApath option, which really puzzled me. >> # openssl s_clients -CApath /data/certs -connect server.example.com:443 >> >> Any ideas? Those parameters are treated as strings passed directly as the input to this OpenSSL API: <http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html> It does not seem to define what happens if CAFile is NULL. So anything could happen. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
