Search squid archive

HTTPS reverse proxy: SSL Certficate verification failed

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,

I want to setup Squid as a HTTPS reverse proxy for several of our websites, but I have a certificate verification problem on Squid access.log.
Our upstream webservers are behind a VPN tunnel and only the Squid server can access it. (We actually use Nginx for the same purpose but want to switch to Squid)

                              HTTPS                           HTTPS
[client browser] -----------------------> [Squid] --------------------------> [upstream server]


I run squid 3.4.8-6+deb8u4 recompiled with --enable-ssl --with-open-ssl="/etc/ssl/openssl.cnf" on Debian Jessie.

The certificate presented to the client is the same as on the upstream server, a wildcard one signed by GeoTrust (with intermediate CA). It appears correctly in the browser.
The problem comes from squid verification of upstream certificate.

My basic squid.conf looks like

https_port <squid IP>:443 accel defaultsite=upstream1.domain.tld vhost cert=<path to SSL cert>

cache_peer <upstream IP> parent 443 0 no-query originserver name=upstream1 ssl 

acl upstream1 dstdomain upstream1.domain.tld
cache_peer_access upstream1 allow upstream1

And logs are full of

fwdNegotiateSSL: Error negotiating SSL connection on FD 14: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0)
TCP connection to <upstream IP> failed


If I verify with openssl the upstream server, I got an error but if I give it the intermediary CA certificate (to be precise I give it the full chain concatenated in one file), it's OK.

$ openssl s_client -showcerts -connect upstream.domain.tld:443 -CAfile <path to full cert chain>.pem 
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA
verify return:1
depth=0 CN = *.fraudbuster.mobi
verify return:1

...

    Timeout   : 300 (sec)
    Verify return code: 0 (ok)


In squid, I tried several options for cache_peer (sslcapath and sslcafile...) but I keep having this error. Of course the sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN options solve the problem, but I don't want to use this solution (my certificate is legitimate and want to validate it normally).

What am I doing wrong? and what should I do to make squid work in this setup?

Thanks.

Eric.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux