[squid-users] Multiple SSL certificates on same IP

Amos Jeffries squid3 at treenet.co.nz
Wed Dec 19 22:09:05 UTC 2018 

On 20/12/18 9:29 am, Bruno de Paula Larini wrote:
> Em 19/12/2018 16:29, Patrick Chemla escreveu:
>>
>> - Having more than one IP on the server, create SSL certificates from
>> LetsEncrypt including each a list of some domains and sub-domains
>>
>> - Create a very bing certificate to have squid using it (not the best
>> choice because domains are of different content, far one to the other)
>>
>> - Having squid managing all certificates on a single IP. (The best
>> because some domains have very high encryption needs, and LetsEncrypt
>> is not their preference)
>>
>>
>> Like a bottle in the sea: Is that possible, multiple certificates,
>> with squid 4.4 on a single IP?
>>
>>
> Based on what I had researched recently, Squid still doesn't handle SNI
> in accel mode, so you could set different, non-wildcard certificates to
> the websites. See:
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-4-0-x-SNI-Support-td4682018.html
> But it would be nice if Amos could confirm if this information is still
> true for 4.4.
> 


There has been some progress in that I have now tested this behaviour
both with multiple certs in different files and sharing a PEM file.


OpenSSL definitely can use only one certificate per http(s)_port. Either
the _last_ loaded if several PEM files are loaded (each call to the
OpenSSL API *replaces* the certs loaded), or if one tries to work around
that by merging everything into a single PEM and only loading it all at
once - only the _first_ cert chain is ever used from that set.

There also does not appear to be any alternative API capable of loading
multiple certs into a single security context and having them used as
leaf certs. If anyone is aware of such a mechanism I would *greatly*
appreciate hearing about it.


On the other hand the GnuTLS mechanism can simply load as many PEM's as
one wants with a single cert chain in each - it "just works". Providing
the appropriate cert chain for any requested domain in its serverHello,
or the first cert loaded if the domain has no cert at all.


FYI; there are other bugs apparently with the GnuTLS priority-string
settings (the tls-options= and tls-min-version=) which may prevent
advanced TLS tuning. And of course with GnuTLS builds one cannot yet
have a dual-purpose proxy also doing SSL-Bump on some traffic (if that
matters). So, YMMV as to whether GnuTLS is worthwhile switching to right
now.

If you do choose to switch the squid.conf for this feature in a GnuTLS
build would look like:

 https_port 443 accel \
    cert=/etc/squid/tls/default.example.com.pem \
    cert=/etc/squid/tls/example.net.pem \
    cert=/etc/squid/tls/example.org.pem \

 ... and so on with a PEM for each domain served by that port.

You should be able to reduce the list a bit by using wildcard certs for
the sub-domains, but I have not tested that possibility yet.


Amos

More information about the squid-users mailing list