<div dir="ltr"><div class="gmail-m_4367764167941461034gmail_signature"><div dir="ltr"><div>Hello,</div><div><br></div><div>I want to setup Squid as a HTTPS reverse proxy for several of our websites, but I have a certificate verification problem on Squid access.log.</div><div>Our upstream webservers are behind a VPN tunnel and only the Squid server can access it. (<i>We actually use Nginx for the same purpose but want to switch to Squid)</i><br></div><div><br></div><div> HTTPS HTTPS</div><div>[client browser] -----------------------> [Squid] --------------------------> [upstream server]</div><div><br></div><div><br></div><div>I run squid 3.4.8-6+deb8u4 recompiled with<font face="monospace, monospace"> --enable-ssl --with-open-ssl="/etc/ssl/<wbr>openssl.cnf"</font><font face="arial, helvetica, sans-serif"> on Debian Jessie.</font></div><div><br></div><div>The certificate presented to the client is the same as on the upstream server, a wildcard one signed by GeoTrust (with intermediate CA). It appears correctly in the browser.</div><div>The problem comes from squid verification of upstream certificate.</div><div><br></div><div>My basic squid.conf looks like</div><div><br></div><div><div><span style="font-family:monospace,monospace">https_port <squid IP>:443 accel defaultsite=upstream1.domain.</span><wbr style="font-family:monospace,monospace"><span style="font-family:monospace,monospace">tld vhost cert=<path to SSL cert></span><br></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">cache_peer <upstream IP> parent 443 0 no-query originserver name=upstream1 ssl </font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">acl upstream1 dstdomain upstream1.domain.tld</font></div><div><font face="monospace, monospace">cache_peer_access upstream1 allow upstream1</font></div></div><div><br></div><div>And logs are full of</div><div><br></div><div><font face="monospace, monospace">fwdNegotiateSSL: Error negotiating SSL connection on FD 14: error:14090086:SSL routines:SSL3_GET_SERVER_<wbr>CERTIFICATE:certificate verify failed (1/-1/0)<br></font></div><div><font face="monospace, monospace">TCP connection to <upstream IP> failed</font><br></div><div><br></div><div><br></div><div>If I verify with openssl the upstream server, I got an error but if I give it the intermediary CA certificate (to be precise I give it the full chain concatenated in one file), it's OK.<br></div><div><br></div><div><font face="monospace, monospace">$ openssl s_client -showcerts -connect upstream.domain.tld:443 -CAfile <path to full cert chain>.pem </font></div><div><div><font face="monospace, monospace">CONNECTED(00000003)</font></div><div><font face="monospace, monospace">depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA</font></div><div><font face="monospace, monospace">verify return:1</font></div><div><font face="monospace, monospace">depth=1 C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA</font></div><div><font face="monospace, monospace">verify return:1</font></div><div><font face="monospace, monospace">depth=0 CN = *.<a href="http://fraudbuster.mobi">fraudbuster.mobi</a></font></div><div><font face="monospace, monospace">verify return:1</font></div></div><div><br></div><div><font face="monospace, monospace">...</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"><div> Timeout : 300 (sec)</div></font></div><div><div><font face="monospace, monospace"> Verify return code: 0 (ok)</font></div></div><div><br></div><div><br></div><div>In squid, I tried several options for cache_peer (sslcapath and sslcafile...) but I keep having this error. Of course the <font face="monospace, monospace">sslflags=DONT_VERIFY_PEER,<wbr>DONT_VERIFY_DOMAIN</font> options solve the problem, but I don't want to use this solution (my certificate is legitimate and want to validate it normally).</div><div><br></div><div>What am I doing wrong? and what should I do to make squid work in this setup?</div><div><br></div><div>Thanks.</div><div><br></div><div>Eric.</div></div></div>
</div>