[squid-users] Default CA file
Hector Chan
hectorchan at gmail.com
Sun Feb 8 06:03:30 UTC 2015
Yuri and Amos, thanks for the replies! There is an openssl command that
tells where OpenSSL will search for CA certs.
$ openssl version -d
OPENSSLDIR: "/etc/pki/tls"
On Sat, Feb 7, 2015 at 5:19 PM, Amos Jeffries <squid3 at treenet.co.nz> wrote:
> On 8/02/2015 9:28 a.m., Hector Chan wrote:
> > Hi all,
> >
> > I have a question about the CA file for SSL certificates. If I don't
> > specify anything for CA, what is default CA certs that squid will use for
> > the cache_peer ?
>
> The ones OpenSSL is configured to use.
>
> >
> > Here is a snippet of my config file.
> >
> > https_port 127.0.0.1:4443 accel \
> > cert=/etc/certs/certificate \
> > key=/etc/certs/key \
> > options=NO_SSLv2,NO_SSLv3
> > ...
> > cache_peer xyz.example.com parent 443 0 \
> > no-query originserver \
> > ssl forceddomain= xyz.example.com \
>
> NP: be careful about the whitespace there after forcedomain= .
> It will force the domain to be *unset* if the parameter is whitespace.
>
> > login=PASS \
> > sslcert=/etc/certs/certificate \
> > sslkey=/etc/certs/key \
> > ssloptions=NO_SSLv2,NO_SSLv3
>
>
> In this configuration the peer certificate will be signed by some CA
> (maybe you dong self-signing).
> You need to add the public key for that CA to the cache_peer like so:
>
> cache_peer ... \
> sslcafile=/path/to/xyz.example.com/publicCAkey.pem
>
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150207/c53665f2/attachment.html>
More information about the squid-users
mailing list