[squid-users] usage of sslcapath in cache_peer
Hector Chan
hectorchan at gmail.com
Wed Feb 18 01:24:26 UTC 2015
Forgot to add. The actual cert is world readable.
[admin at dsg214 ~]# ll
/data/cacerts/../certs/a4a521af41327a4ab3ff1feb16a1a76888a0c2ea.crt
-rw-r--r-- 1 admin root 1108 Feb 18 00:21
/data/cacerts/../certs/a4a521af41327a4ab3ff1feb16a1a76888a0c2ea.crt
On Tue, Feb 17, 2015 at 5:18 PM, Hector Chan <hectorchan at gmail.com> wrote:
> Hi All,
>
> I have a question about using sslcapath in cache_peer. My
> server.example.com has a self-signed cert, which I imported into my squid
> box under /data/certs. The following cache_peer line actually worked.
> However, if I remove the sslcafile, squid won't verify the self-signed cert.
>
> cache_peer server.example.com parent 443 0 \
> no-query originserver ssl \
> forceddomain=server.example.com \
> login=PASS \
> sslcert=/data/certs/certificate sslkey=/data/certs/key \
> ssloptions=NO_SSLv2,NO_SSLv3 \
> sslcafile=/data/cacerts/72af835f.0 \
> sslcapath=/data/cacerts
>
> [admin at dsg214 cacerts]# ls -l
> total 0
> lrwxrwxrwx 1 admin root 53 Feb 18 00:22 35fa123a.0 ->
> ../certs/a4a521af41327a4ab3ff1feb16a1a76888a0c2ea.crt
>
> Running openssl command from the squid box verified the certificate chain
> ok with the -CApath option, which really puzzled me.
> # openssl s_clients -CApath /data/certs -connect server.example.com:443
>
> Any ideas?
>
> Thanks,
> Hector
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150217/247e4790/attachment.html>
More information about the squid-users
mailing list