<div dir="ltr">Yuri and Amos, thanks for the replies! There is an openssl command that tells where OpenSSL will search for CA certs. <br><br><code class="">$ openssl version -d</code><div class=""><code class="">OPENSSLDIR: "/etc/pki/tls"</code></div><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Feb 7, 2015 at 5:19 PM, Amos Jeffries <span dir="ltr"><<a href="mailto:squid3@treenet.co.nz" target="_blank">squid3@treenet.co.nz</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 8/02/2015 9:28 a.m., Hector Chan wrote:<br>
> Hi all,<br>
><br>
> I have a question about the CA file for SSL certificates. If I don't<br>
> specify anything for CA, what is default CA certs that squid will use for<br>
> the cache_peer ?<br>
<br>
</span>The ones OpenSSL is configured to use.<br>
<span class=""><br>
><br>
> Here is a snippet of my config file.<br>
><br>
> https_port <a href="http://127.0.0.1:4443" target="_blank">127.0.0.1:4443</a> accel \<br>
> cert=/etc/certs/certificate \<br>
> key=/etc/certs/key \<br>
> options=NO_SSLv2,NO_SSLv3<br>
> ...<br>
> cache_peer <a href="http://xyz.example.com" target="_blank">xyz.example.com</a> parent 443 0 \<br>
> no-query originserver \<br>
> ssl forceddomain= <a href="http://xyz.example.com" target="_blank">xyz.example.com</a> \<br>
<br>
</span>NP: be careful about the whitespace there after forcedomain= .<br>
It will force the domain to be *unset* if the parameter is whitespace.<br>
<br>
> login=PASS \<br>
> sslcert=/etc/certs/certificate \<br>
> sslkey=/etc/certs/key \<br>
> ssloptions=NO_SSLv2,NO_SSLv3<br>
<br>
<br>
In this configuration the peer certificate will be signed by some CA<br>
(maybe you dong self-signing).<br>
You need to add the public key for that CA to the cache_peer like so:<br>
<br>
cache_peer ... \<br>
sslcafile=/path/to/<a href="http://xyz.example.com/publicCAkey.pem" target="_blank">xyz.example.com/publicCAkey.pem</a><br>
<br>
<br>
Amos<br>
<span class=""><br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
</span><a href="http://lists.squid-cache.org/listinfo/squid-users" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote></div><br></div>