On 4/01/2016 8:58 a.m., Florian Stamer wrote: > Hi I,m currently testing Squid 4.0.3 in Reverse Proxy Mode. > > It seems that the sslflags directives "DONT_VERIFY_PEER" and "DONT_VERIFY_DOMAIN" do not work. > Should be. They are planned for removal, but nothing towards that has ot happened yet. > Here is the relevant config: > > https_port 443 accel cert=/etc/squid/ssl/wildcard.cer key=/etc/squid/ssl/wildcard.key defaultsite=externeURL cipher=HIGH:!aNULL options=SINGLE_DH_USE,NO_SSLv3 dhparams=/etc/squid/ssl/dhparams.pem > cache_peer localserver parent 443 0 proxy-only no-query no-digest front-end-https=on originserver login=PASS ssl ssloptions=NO_SSLv3 sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN name=ExchangeCAS > > It perfectly workes in my production System based on Ubuntu LTS 14.04.3, Squid 3.3.8. > > Everytime i try to access the site i get an error: > > The system returned: > (71) Protocol error (TLS code: SQUID_X509_V_ERR_DOMAIN_MISMATCH) > Certificate does not match domainname > > I'm using a SAN Certificate... > > I can workaround this using the directive "sslproxy_cert_error allow all". But that is not what i want... > > Are there any issues known? > Is something wrong with my config? Nothing obvious. It might be related to one of the issues fixed since 4.0.3 was packaged. Are you able to try the latest 4.x snapshot ? Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
