Search squid archive

Re: Squid reject self-signed SSL certificate of ICAP server

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 22/06/17 21:23, Nikita wrote:

2017-06-21 19:46 GMT+03:00 Alex Rousskov:

    On 06/21/2017 10:15 AM, Nikita wrote:

    > Is it possible to allow self-signed SSL certificates for ICAP server
    > connections somehow?

    Can you configure your OpenSSL library (or equivalent) to trust the ICAP
    server certificate? Squid deletages most of the certificate validation
    work to OpenSSL (or equivalent).


Probably worth a try, but generally it is undesirable in my case to modify global OpenSSL config.


    > There is tls-flags=DONT_VERIFY_PEER flag, but in this case Squid
    > don't send it's own certificate to ICAP server

    Why do you think tls-flags=DONT_VERIFY_PEER only works if Squid sends
    its own certificate? The two actions (from-peer certificate validation
    and sending of a certificate to a peer) seem unrelated to me.


In my case for some unknown reasons Squid don't send its own certificate to ICAP server, probably because of DONT_VERIFY_PEER flag, but not sure here. BIO_do_handshake fails with "no certificate returned" on ICAP server side despite the fact that squid certificate was specified via tls-cert and tls-key options of icap_service config directive and ICAP server was configured to request client certificate. It seems need to investigate Squid source code in more detail to find some answers, thanks for advices.


What DONT_VERIFY_PEER does is prevent Squid checking any of the TLS server details that ensure it is actually talking to the ICAP server you configured it to use. As Alex said it does not directly prevent Squid code from sending a client cert, but it *does* allow your Squid traffic to be diverted to a completely irrelevant ICAP server and you will never know.

It is quite possible the behaviour you are seeing is simply because Squid is not even connected to the ICAP server you are trying to test with.

I hope this clarifies why I strongly recommend people erase the DONT_VERIFY_PEER option from their configs, and get things going without it. It is not a useful debugging tool, let along production setting.


Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux