<div dir="ltr"><div>Ah after reading your reply that makes perfect sense.</div>Thanks so much Amos, you nailed it.<div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Jun 30, 2016 at 12:17 AM, Amos Jeffries <span dir="ltr"><<a href="mailto:squid3@treenet.co.nz" target="_blank">squid3@treenet.co.nz</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 29/06/2016 10:01 p.m., Bruce Rosenberg wrote:<br>
> Hi,<br>
><br>
> I'm using squid 3.5.19 on RHEL6 and have configured SSL bump, which for the<br>
> most part is working great.<br>
> The issue I have is I need to install some additional CA certs that are not<br>
> provided by the ca-certificates-2015 RPM in the /etc/pki/tls/cert.pem file<br>
> (symlinked to /etc/pki/tls/certs/ca-bundle.crt).<br>
> I've tried adding both the cafile and capath options to the http_port entry<br>
> but neither seems to have any affect.<br>
> With the cafile option I can see squid open the file via an strace but when<br>
> I connect to the server it fails with a 503 as the SSL session to the<br>
> remote side is failing to verify.<br>
> With the capath option, strace shows that squid never attempts to open any<br>
> files in that directory.<br>
> Dynamic certificate generation between squid and the client is working fine<br>
> however.<br>
><br>
</span>...<br>
<span class="">><br>
> Are the cafile and capath options supposed to work like this i.e. do they<br>
> allow you to complement the OS supplied CA certs for remote site<br>
> verification or have I completely misread the documentation?<br>
<br>
</span>The options *on http_port* are supposed to act like that, yes.<br>
<br>
I think you have just mistaken the distinction between the three types<br>
of connection Squid has to juggle.<br>
<br>
<br>
http(s)_port is for links between client and Squid. Those parameters<br>
used for verifying *client certificates*.<br>
<br>
sslproxy_* set of directives are for direct Squid->server links. The<br>
sslproxy_cafile and/or sslproxy_capath load the extra special CA you<br>
want to add to the system default ones.<br>
<br>
cache_peer is for static links to a known server/peer. It has its own<br>
cafile= and capath= options for CA to verify that specific server.<br>
Ideally the system CAs would not be used here.<br>
<br>
<br>
If I'm understanding your needs correctly then you want to be<br>
configuring sslproxy_cafile and/or sslproxy_capath.<br>
<br>
<br>
Amos<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote></div><br></div>