On 22/06/17 21:23, Nikita wrote:
2017-06-21 19:46 GMT+03:00 Alex Rousskov:
On 06/21/2017 10:15 AM, Nikita wrote:
> Is it possible to allow self-signed SSL certificates for ICAP server
> connections somehow?
Can you configure your OpenSSL library (or equivalent) to trust the ICAP
server certificate? Squid deletages most of the certificate validation
work to OpenSSL (or equivalent).
Probably worth a try, but generally it is undesirable in my case to
modify global OpenSSL config.
> There is tls-flags=DONT_VERIFY_PEER flag, but in this case Squid
> don't send it's own certificate to ICAP server
Why do you think tls-flags=DONT_VERIFY_PEER only works if Squid sends
its own certificate? The two actions (from-peer certificate validation
and sending of a certificate to a peer) seem unrelated to me.
In my case for some unknown reasons Squid don't send its own certificate
to ICAP server, probably because of DONT_VERIFY_PEER flag, but not sure
here. BIO_do_handshake fails with "no certificate returned" on ICAP
server side despite the fact that squid certificate was specified via
tls-cert and tls-key options of icap_service config directive and ICAP
server was configured to request client certificate. It seems need to
investigate Squid source code in more detail to find some answers,
thanks for advices.
What DONT_VERIFY_PEER does is prevent Squid checking any of the TLS
server details that ensure it is actually talking to the ICAP server you
configured it to use. As Alex said it does not directly prevent Squid
code from sending a client cert, but it *does* allow your Squid traffic
to be diverted to a completely irrelevant ICAP server and you will never
know.
It is quite possible the behaviour you are seeing is simply because
Squid is not even connected to the ICAP server you are trying to test with.
I hope this clarifies why I strongly recommend people erase the
DONT_VERIFY_PEER option from their configs, and get things going without
it. It is not a useful debugging tool, let along production setting.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users