[squid-users] Squid reject self-signed SSL certificate of ICAP server

Amos Jeffries squid3 at treenet.co.nz
Thu Jun 22 13:33:02 UTC 2017 

On 22/06/17 21:23, Nikita wrote:
> 
> 2017-06-21 19:46 GMT+03:00 Alex Rousskov:
> 
>     On 06/21/2017 10:15 AM, Nikita wrote:
> 
>     > Is it possible to allow self-signed SSL certificates for ICAP server
>     > connections somehow?
> 
>     Can you configure your OpenSSL library (or equivalent) to trust the ICAP
>     server certificate? Squid deletages most of the certificate validation
>     work to OpenSSL (or equivalent).
> 
> 
> Probably worth a try, but generally it is undesirable in my case to 
> modify global OpenSSL config.
> 
> 
>     > There is tls-flags=DONT_VERIFY_PEER flag, but in this case Squid
>     > don't send it's own certificate to ICAP server
> 
>     Why do you think tls-flags=DONT_VERIFY_PEER only works if Squid sends
>     its own certificate? The two actions (from-peer certificate validation
>     and sending of a certificate to a peer) seem unrelated to me.
> 
> 
> In my case for some unknown reasons Squid don't send its own certificate 
> to ICAP server, probably because of DONT_VERIFY_PEER flag, but not sure 
> here. BIO_do_handshake fails with "no certificate returned" on ICAP 
> server side despite the fact that squid certificate was specified via 
> tls-cert and tls-key options of icap_service config directive and ICAP 
> server was configured to request client certificate. It seems need to 
> investigate Squid source code in more detail to find some answers, 
> thanks for advices.


What DONT_VERIFY_PEER does is prevent Squid checking any of the TLS 
server details that ensure it is actually talking to the ICAP server you 
configured it to use. As Alex said it does not directly prevent Squid 
code from sending a client cert, but it *does* allow your Squid traffic 
to be diverted to a completely irrelevant ICAP server and you will never 
know.

It is quite possible the behaviour you are seeing is simply because 
Squid is not even connected to the ICAP server you are trying to test with.

I hope this clarifies why I strongly recommend people erase the 
DONT_VERIFY_PEER option from their configs, and get things going without 
it. It is not a useful debugging tool, let along production setting.


Amos

More information about the squid-users mailing list