[squid-users] Default CA file

Amos Jeffries squid3 at treenet.co.nz
Sun Feb 8 01:19:24 UTC 2015


On 8/02/2015 9:28 a.m., Hector Chan wrote:
> Hi all,
> 
> I have a question about the CA file for SSL certificates.  If I don't
> specify anything for CA, what is default CA certs that squid will use for
> the cache_peer ?

The ones OpenSSL is configured to use.

> 
> Here is a snippet of my config file.
> 
> https_port 127.0.0.1:4443 accel \
>     cert=/etc/certs/certificate \
>     key=/etc/certs/key \
>     options=NO_SSLv2,NO_SSLv3
> ...
> cache_peer xyz.example.com parent 443 0 \
>     no-query originserver \
>     ssl forceddomain= xyz.example.com \

NP: be careful about the whitespace there after forcedomain= .
It will force the domain to be *unset* if the parameter is whitespace.

>     login=PASS \
>     sslcert=/etc/certs/certificate \
>     sslkey=/etc/certs/key \
>     ssloptions=NO_SSLv2,NO_SSLv3


In this configuration the peer certificate will be signed by some CA
(maybe you dong self-signing).
You need to add the public key for that CA to the cache_peer like so:

cache_peer ... \
  sslcafile=/path/to/xyz.example.com/publicCAkey.pem


Amos



More information about the squid-users mailing list