Hi,
testet the latest Snapshot and the 4.0.4
Still the same.
Regards,
Florian
-----Ursprüngliche Nachricht-----
Von: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] Im Auftrag von Amos Jeffries
Gesendet: Montag, 4. Januar 2016 12:07
An: squid-users@xxxxxxxxxxxxxxxxxxxxx
Betreff: Re: squid 4.0.3 - sslflags not working?
On 4/01/2016 8:58 a.m., Florian Stamer wrote:
> Hi I,m currently testing Squid 4.0.3 in Reverse Proxy Mode.
>
> It seems that the sslflags directives "DONT_VERIFY_PEER" and "DONT_VERIFY_DOMAIN" do not work.
>
Should be. They are planned for removal, but nothing towards that has ot happened yet.
> Here is the relevant config:
>
> https_port 443 accel cert=/etc/squid/ssl/wildcard.cer
> key=/etc/squid/ssl/wildcard.key defaultsite=externeURL
> cipher=HIGH:!aNULL options=SINGLE_DH_USE,NO_SSLv3
> dhparams=/etc/squid/ssl/dhparams.pem
> cache_peer localserver parent 443 0 proxy-only no-query no-digest
> front-end-https=on originserver login=PASS ssl ssloptions=NO_SSLv3
> sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN name=ExchangeCAS
>
> It perfectly workes in my production System based on Ubuntu LTS 14.04.3, Squid 3.3.8.
>
> Everytime i try to access the site i get an error:
>
> The system returned:
> (71) Protocol error (TLS code: SQUID_X509_V_ERR_DOMAIN_MISMATCH)
> Certificate does not match domainname
>
> I'm using a SAN Certificate...
>
> I can workaround this using the directive "sslproxy_cert_error allow all". But that is not what i want...
>
> Are there any issues known?
> Is something wrong with my config?
Nothing obvious.
It might be related to one of the issues fixed since 4.0.3 was packaged.
Are you able to try the latest 4.x snapshot ?
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
testet the latest Snapshot and the 4.0.4
Still the same.
Regards,
Florian
-----Ursprüngliche Nachricht-----
Von: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] Im Auftrag von Amos Jeffries
Gesendet: Montag, 4. Januar 2016 12:07
An: squid-users@xxxxxxxxxxxxxxxxxxxxx
Betreff: Re: squid 4.0.3 - sslflags not working?
On 4/01/2016 8:58 a.m., Florian Stamer wrote:
> Hi I,m currently testing Squid 4.0.3 in Reverse Proxy Mode.
>
> It seems that the sslflags directives "DONT_VERIFY_PEER" and "DONT_VERIFY_DOMAIN" do not work.
>
Should be. They are planned for removal, but nothing towards that has ot happened yet.
> Here is the relevant config:
>
> https_port 443 accel cert=/etc/squid/ssl/wildcard.cer
> key=/etc/squid/ssl/wildcard.key defaultsite=externeURL
> cipher=HIGH:!aNULL options=SINGLE_DH_USE,NO_SSLv3
> dhparams=/etc/squid/ssl/dhparams.pem
> cache_peer localserver parent 443 0 proxy-only no-query no-digest
> front-end-https=on originserver login=PASS ssl ssloptions=NO_SSLv3
> sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN name=ExchangeCAS
>
> It perfectly workes in my production System based on Ubuntu LTS 14.04.3, Squid 3.3.8.
>
> Everytime i try to access the site i get an error:
>
> The system returned:
> (71) Protocol error (TLS code: SQUID_X509_V_ERR_DOMAIN_MISMATCH)
> Certificate does not match domainname
>
> I'm using a SAN Certificate...
>
> I can workaround this using the directive "sslproxy_cert_error allow all". But that is not what i want...
>
> Are there any issues known?
> Is something wrong with my config?
Nothing obvious.
It might be related to one of the issues fixed since 4.0.3 was packaged.
Are you able to try the latest 4.x snapshot ?
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
<<attachment: smime.p7s>>
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
