[squid-users] Multiple SSL certificates on same IP

Amos Jeffries squid3 at treenet.co.nz
Wed Dec 19 22:09:05 UTC 2018

On 20/12/18 9:29 am, Bruno de Paula Larini wrote:
> Em 19/12/2018 16:29, Patrick Chemla escreveu:
>> - Having more than one IP on the server, create SSL certificates from
>> LetsEncrypt including each a list of some domains and sub-domains
>> - Create a very bing certificate to have squid using it (not the best
>> choice because domains are of different content, far one to the other)
>> - Having squid managing all certificates on a single IP. (The best
>> because some domains have very high encryption needs, and LetsEncrypt
>> is not their preference)
>> Like a bottle in the sea: Is that possible, multiple certificates,
>> with squid 4.4 on a single IP?
> Based on what I had researched recently, Squid still doesn't handle SNI
> in accel mode, so you could set different, non-wildcard certificates to
> the websites. See:
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-4-0-x-SNI-Support-td4682018.html
> But it would be nice if Amos could confirm if this information is still
> true for 4.4.

There has been some progress in that I have now tested this behaviour
both with multiple certs in different files and sharing a PEM file.

OpenSSL definitely can use only one certificate per http(s)_port. Either
the _last_ loaded if several PEM files are loaded (each call to the
OpenSSL API *replaces* the certs loaded), or if one tries to work around
that by merging everything into a single PEM and only loading it all at
once - only the _first_ cert chain is ever used from that set.

There also does not appear to be any alternative API capable of loading
multiple certs into a single security context and having them used as
leaf certs. If anyone is aware of such a mechanism I would *greatly*
appreciate hearing about it.

On the other hand the GnuTLS mechanism can simply load as many PEM's as
one wants with a single cert chain in each - it "just works". Providing
the appropriate cert chain for any requested domain in its serverHello,
or the first cert loaded if the domain has no cert at all.

FYI; there are other bugs apparently with the GnuTLS priority-string
settings (the tls-options= and tls-min-version=) which may prevent
advanced TLS tuning. And of course with GnuTLS builds one cannot yet
have a dual-purpose proxy also doing SSL-Bump on some traffic (if that
matters). So, YMMV as to whether GnuTLS is worthwhile switching to right

If you do choose to switch the squid.conf for this feature in a GnuTLS
build would look like:

 https_port 443 accel \
    cert=/etc/squid/tls/default.example.com.pem \
    cert=/etc/squid/tls/example.net.pem \
    cert=/etc/squid/tls/example.org.pem \

 ... and so on with a PEM for each domain served by that port.

You should be able to reduce the list a bit by using wildcard certs for
the sub-domains, but I have not tested that possibility yet.


More information about the squid-users mailing list