[squid-users] HTTPS_PORT AND SSL CERT

Julien TEHERY julien.tehery at mediactivegroup.com
Wed May 27 06:10:55 UTC 2020 

It's allready the case, the server as a public IP and a valid cert.
As Amos says, it is related to the gnutls implementation which is experimental. squid has to be built with openssl to support chain certificates.
________________________________
De : Ronan Lucio <ronanlucio at gmail.com>
Envoyé : mercredi 27 mai 2020 02:10
À : Julien TEHERY <julien.tehery at mediactivegroup.com>
Cc : squid-users at lists.squid-cache.org <squid-users at lists.squid-cache.org>
Objet : Re: [squid-users] HTTPS_PORT AND SSL CERT

If your server listens on a public IP, you can use a valid certificate.

On Tue, May 26, 2020 at 7:24 PM Julien TEHERY
<julien.tehery at mediactivegroup.com> wrote:
>
> Hi there,
>
> I'm actually facing a problem with Squid 4.6-1 (Debian 10).
> I'm using squid with https_port directive, using an SSL certficate ( a true one, not self signed)
>
> Here is the simple setup:
>
> https_port X.X.X.X:8443 tls-cert=/etc/squid/mywildcard.com.pem
>
> The fact is that setup works for all firefox version using a proxy.pac file for HTTPS connexions to the squid server.
> But for chrome this is quite different. Indeed chrome uses the system's proxy settings and i noticed that sometimes it would work and sometinles it would fail.
> To make it work all the time i had to add my intermediate certificate (thawte) in the local store, so that means intermediate certificate has not been delivered by the squid server as it should.
>
> The pem file in the above setup allreadycontains this (pem file done by concatenating  private key, cert, intermediate and root CA. I also tried the following syntax:
>
> https_port X.X.X.X:8443 cert=/etc/squid/mywildcard..com.cer key=/etc/squid/mywildcard.com.key cafile=/etc/squid/mywildcard..com-intermediaire.txt
>
> but each time i try to see with openssl client if my intermediate is delivered, it's not
> I use "openssl s_client -showcerts -connect myproxy.com:8443"
>
> If i do the same thing on an apache server with the same certificate files i can see both certificate and intermediate. Why squid isn't able to show it, did i miss something ?
>
>
> Thanks for your help
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200527/c36a05f6/attachment.html>

More information about the squid-users mailing list