On 31/10/19 9:49 am, Marek Greško wrote: > Hello, > > Matus, I also found the document. It should be sending the chain, but > is not. When I specify cafile option it responds I shoud use > tls-cafile. But in either case it is not sending. > > Walter, if squid has such requirement, then it is unfinished. Every > other proxy is able to run its CA as an intermediate and clients > install only root CA. The proxy should be responsible to hold the > chain. The url Matus sent is the correct way how to do it, but is is > not working. At least not in 4.8 vesion. > " cafile= File containing additional CA certificates to use when verifying client certificates. " Note that last line. Squid-4 is more strict about its configured inputs being used for what they are documented as. The best place to put the chain is actually in the PEM file used in the cert= parameter. It should contain as much of the chain as you want Squid to send, starting with the proxies signing CA cert and going up the chained intermediate CA certs towards the root CA. Squid-4 will validate all certificates actually are a chain with correct sequence, ignoring any which are incorrect or out of sequence. Running "squid -k parse" will reports any errors loading the chain. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
