[squid-users] sending certificate chain from squid reverse proxy

Kate Dawson aland at burngreave.net
Tue Jul 16 12:34:12 UTC 2019


Hi, 

Is it possible to send a certificate chain from squid when it's used in
reverse proxy (accel) mode and compiled with gnutls ?  

I am running Debian Buster, and the packaged squid https://packages.debian.org/buster/squid is 4.6-1 

squid -v reports that it is compiled  --with-gnutls

I have the following line (for squid proxy in front of Microsoft Exchange 2016).

https_port 443 accel tls-cert=fullchain.crt tls-key=privkey.pem defaultsite=webmail.example.com vhost  connection-auth=off tls-dh=dh2048.pem

Where fullchain.crt is a concatenation of the public certificate and an
intermediate CA. 

From the http://www.squid-cache.org/Versions/v4/cfgman/http_port.html
page it says regarding the tls-cert option

tls-cert=	Path to file containing an X.509 certificate (PEM format)
			to be used in the TLS handshake ServerHello.
		
			...

			When OpenSSL is used this file may also contain a
			chain of intermediate CA certificates to send in the
			TLS handshake.

			When GnuTLS is used this option (and any paired
			tls-key= option) may be repeated to load multiple
			certificates for different domains.

is it possible to send an intermediate certificate when build with GnuTLS, and if so, what is the options ? 


Thanks in advance, 

Kate Dawson

-- 
"The introduction of a coordinate system to geometry is an act of violence"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190716/52cab04d/attachment.sig>


More information about the squid-users mailing list