[squid-users] Default CA file
Amos Jeffries
squid3 at treenet.co.nz
Sun Feb 8 01:19:24 UTC 2015
On 8/02/2015 9:28 a.m., Hector Chan wrote:
> Hi all,
>
> I have a question about the CA file for SSL certificates. If I don't
> specify anything for CA, what is default CA certs that squid will use for
> the cache_peer ?
The ones OpenSSL is configured to use.
>
> Here is a snippet of my config file.
>
> https_port 127.0.0.1:4443 accel \
> cert=/etc/certs/certificate \
> key=/etc/certs/key \
> options=NO_SSLv2,NO_SSLv3
> ...
> cache_peer xyz.example.com parent 443 0 \
> no-query originserver \
> ssl forceddomain= xyz.example.com \
NP: be careful about the whitespace there after forcedomain= .
It will force the domain to be *unset* if the parameter is whitespace.
> login=PASS \
> sslcert=/etc/certs/certificate \
> sslkey=/etc/certs/key \
> ssloptions=NO_SSLv2,NO_SSLv3
In this configuration the peer certificate will be signed by some CA
(maybe you dong self-signing).
You need to add the public key for that CA to the cache_peer like so:
cache_peer ... \
sslcafile=/path/to/xyz.example.com/publicCAkey.pem
Amos
More information about the squid-users
mailing list