On 4/08/19 2:11 am, Eugene M. Zheganin wrote: > Hello, > > > I'm using squid 4.6 and I need to TLS-encrypt the session to the parent > proxy. I have in config: > > > cache_peer proxy.foo.bar parent 3129 3130 tls > tls-cafile=/usr/local/etc/squid/certs/le.pem > sslcert=/usr/local/etc/letsencrypt/live/vpn.enazadev.ru/cert.pem > sslkey=/usr/local/etc/letsencrypt/live/vpn.enazadev.ru/privkey.pem > sslflags=DONT_VERIFY_DOMAIN,DONT_VERIFY_PEER > Please start with "squid -k parse" and update those to the Squid-4 options. Also, any errors/warnings mentioned about the PEM files contents need to be fixed. > > But no matter what I'm doing, squid keeps telling in logs that he > doesn't like the peer certificate: > > > 2019/08/03 18:42:24 kid1| ERROR: negotiating TLS on FD 23: > error:14090086:SSL routines:ssl3_get_server_certificate:certificate > verify failed (1/-1/0) > 2019/08/03 18:42:24 kid1| temporary disabling (Service Unavailable) > digest from proxy.foo.bar > > and then he's going directly bypassing the peer. :/ > > > Is there any way to tell him that I don't care ? > You really should care. There is no point in TLS to a peer if you are going to ignore whether the right peer is even being connected to. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
