[squid-users] Multiple SSL certificates on same IP
squid3 at treenet.co.nz
Wed Dec 19 22:09:05 UTC 2018
On 20/12/18 9:29 am, Bruno de Paula Larini wrote:
> Em 19/12/2018 16:29, Patrick Chemla escreveu:
>> - Having more than one IP on the server, create SSL certificates from
>> LetsEncrypt including each a list of some domains and sub-domains
>> - Create a very bing certificate to have squid using it (not the best
>> choice because domains are of different content, far one to the other)
>> - Having squid managing all certificates on a single IP. (The best
>> because some domains have very high encryption needs, and LetsEncrypt
>> is not their preference)
>> Like a bottle in the sea: Is that possible, multiple certificates,
>> with squid 4.4 on a single IP?
> Based on what I had researched recently, Squid still doesn't handle SNI
> in accel mode, so you could set different, non-wildcard certificates to
> the websites. See:
> But it would be nice if Amos could confirm if this information is still
> true for 4.4.
There has been some progress in that I have now tested this behaviour
both with multiple certs in different files and sharing a PEM file.
OpenSSL definitely can use only one certificate per http(s)_port. Either
the _last_ loaded if several PEM files are loaded (each call to the
OpenSSL API *replaces* the certs loaded), or if one tries to work around
that by merging everything into a single PEM and only loading it all at
once - only the _first_ cert chain is ever used from that set.
There also does not appear to be any alternative API capable of loading
multiple certs into a single security context and having them used as
leaf certs. If anyone is aware of such a mechanism I would *greatly*
appreciate hearing about it.
On the other hand the GnuTLS mechanism can simply load as many PEM's as
one wants with a single cert chain in each - it "just works". Providing
the appropriate cert chain for any requested domain in its serverHello,
or the first cert loaded if the domain has no cert at all.
FYI; there are other bugs apparently with the GnuTLS priority-string
settings (the tls-options= and tls-min-version=) which may prevent
advanced TLS tuning. And of course with GnuTLS builds one cannot yet
have a dual-purpose proxy also doing SSL-Bump on some traffic (if that
matters). So, YMMV as to whether GnuTLS is worthwhile switching to right
If you do choose to switch the squid.conf for this feature in a GnuTLS
build would look like:
https_port 443 accel \
... and so on with a PEM for each domain served by that port.
You should be able to reduce the list a bit by using wildcard certs for
the sub-domains, but I have not tested that possibility yet.
More information about the squid-users