Thank you Alex. >Sounds good. Does the generated fake certificate contain the right origin server name? Sid: Yes, It does contain correct IP Address in Server name sent by client. >Why do you expect the client to send a client certificate to Squid? In most deployments, TLS servers do not request client certificates and, hence, TLS clients do not send client certificates. IIRC, you did not configure your Squid to request a client certificate from the client? >Or is there a terminology problem where "client certificate sent to Squid" means something other than "an x509 certificate requested by a TLS server and sent to that server by a TLS client during TLS handshake"? Please note that Squid is a TLS server in this context. Sid: Actually in my case Server is looking for a certificate to be sent by client; it isn't a Web Server but SBC looking for a certificate sent by a client to grant further voice & video call. How to configure Squid to get this certificate from client for mutual authentication? >Perhaps the alert may not be related to certificate validation. If you want to verify whether UCAppsCA.pem is enough to trust the origin server, you can use "curl" or "openssl s_client" tools for a test. They should fail to validate the server when not configured to use UCAppsCA.pem and they should succeed otherwise. Sid: I have tried following which shows "Verify return code: 0 (ok)": openssl s_client -connect <Server FQDN>:443 -CAfile /usr/local/squid/etc/UCAppsCA.pem -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
