On 20/12/18 9:29 am, Bruno de Paula Larini wrote: > Em 19/12/2018 16:29, Patrick Chemla escreveu: >> >> - Having more than one IP on the server, create SSL certificates from >> LetsEncrypt including each a list of some domains and sub-domains >> >> - Create a very bing certificate to have squid using it (not the best >> choice because domains are of different content, far one to the other) >> >> - Having squid managing all certificates on a single IP. (The best >> because some domains have very high encryption needs, and LetsEncrypt >> is not their preference) >> >> >> Like a bottle in the sea: Is that possible, multiple certificates, >> with squid 4.4 on a single IP? >> >> > Based on what I had researched recently, Squid still doesn't handle SNI > in accel mode, so you could set different, non-wildcard certificates to > the websites. See: > http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-4-0-x-SNI-Support-td4682018.html > But it would be nice if Amos could confirm if this information is still > true for 4.4. > There has been some progress in that I have now tested this behaviour both with multiple certs in different files and sharing a PEM file. OpenSSL definitely can use only one certificate per http(s)_port. Either the _last_ loaded if several PEM files are loaded (each call to the OpenSSL API *replaces* the certs loaded), or if one tries to work around that by merging everything into a single PEM and only loading it all at once - only the _first_ cert chain is ever used from that set. There also does not appear to be any alternative API capable of loading multiple certs into a single security context and having them used as leaf certs. If anyone is aware of such a mechanism I would *greatly* appreciate hearing about it. On the other hand the GnuTLS mechanism can simply load as many PEM's as one wants with a single cert chain in each - it "just works". Providing the appropriate cert chain for any requested domain in its serverHello, or the first cert loaded if the domain has no cert at all. FYI; there are other bugs apparently with the GnuTLS priority-string settings (the tls-options= and tls-min-version=) which may prevent advanced TLS tuning. And of course with GnuTLS builds one cannot yet have a dual-purpose proxy also doing SSL-Bump on some traffic (if that matters). So, YMMV as to whether GnuTLS is worthwhile switching to right now. If you do choose to switch the squid.conf for this feature in a GnuTLS build would look like: https_port 443 accel \ cert=/etc/squid/tls/default.example.com.pem \ cert=/etc/squid/tls/example.net.pem \ cert=/etc/squid/tls/example.org.pem \ ... and so on with a PEM for each domain served by that port. You should be able to reduce the list a bit by using wildcard certs for the sub-domains, but I have not tested that possibility yet. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
