Search squid archive

Re: HTTPS_PORT AND SSL CERT

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I retried everything possible in terms of order in the pem file.
from my workstation, if i do "openssl s_client -showcerts -connect mysquid.mycompany.com:8443" i only get one certificate/issuer, but the same command on same server but different port (apache listenning on 443), i correctly get 2 certificates/issuers:

I precise my https configuration isn't for ssl_bump purpose but only to provide secure access to the http proxy through the WAN with a valid certificate.
Do you some of you use complete certificates (including intermediate) with squid? If yes please tell me how you made it work.
I do have the latest stable squid version built with openssl support.

If squid isn't able to do that, as we  do with so many other softwares, I should consider to use an haproxy server or apache reverse proxy in front of the squid to handle correctly the SSL cert.

Regards,



De : Julien TEHERY <julien.tehery@xxxxxxxxxxxxxxxxxxx>
Envoyé : mercredi 27 mai 2020 09:54
À : Amos Jeffries <squid3@xxxxxxxxxxxxx>; squid-users@xxxxxxxxxxxxxxxxxxxxx <squid-users@xxxxxxxxxxxxxxxxxxxxx>
Objet : RE: HTTPS_PORT AND SSL CERT
 
Unfortunately, i've just compiled/ and built deb packages a fresh new squid 4.11
Now SSL support should be fully operational, but the certificate i still not showing the intermediate.

I just tried https_port 8443 tls-cert=/etc/squid/wildcard.mycompany.com.pem
where in the pem file i have in this precise order:
  • cert key
  • server cert
  • intermediate cert

openssl client shows only the cert issuer, as it should show both.
Did I missed something ?

On 26/05/20 7:24 pm, Julien TEHERY wrote:
> To make it work all the time i had to add my intermediate certificate
> (thawte) in the local store, so that means intermediate certificate has
> not been delivered by the squid server as it should.

The experimental GnuTLS support in Debian package does not yet support
certificate chains. That is still some ways off.

For now if there is a chain with intermediate certificates you still
need to use an OpenSSL build of Squid.

Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux