Search squid archive

Re: Squid reject self-signed SSL certificate of ICAP server

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


2017-06-21 19:46 GMT+03:00 Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx>:
On 06/21/2017 10:15 AM, Nikita wrote:

> Is it possible to allow self-signed SSL certificates for ICAP server
> connections somehow?

Can you configure your OpenSSL library (or equivalent) to trust the ICAP
server certificate? Squid deletages most of the certificate validation
work to OpenSSL (or equivalent).


Probably worth a try, but generally it is undesirable in my case to modify global OpenSSL config.


> There is tls-flags=DONT_VERIFY_PEER flag, but in this case Squid
> don't send it's own certificate to ICAP server

Why do you think tls-flags=DONT_VERIFY_PEER only works if Squid sends
its own certificate? The two actions (from-peer certificate validation
and sending of a certificate to a peer) seem unrelated to me.


In my case for some unknown reasons Squid don't send its own certificate to ICAP server, probably because of DONT_VERIFY_PEER flag, but not sure here. BIO_do_handshake fails with "no certificate returned" on ICAP server side despite the fact that squid certificate was specified via tls-cert and tls-key options of icap_service config directive and ICAP server was configured to request client certificate. It seems need to investigate Squid source code in more detail to find some answers, thanks for advices.
 
Alex.

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux