[squid-users] usage of sslcapath in cache_peer
Amos Jeffries
squid3 at treenet.co.nz
Wed Feb 18 01:58:24 UTC 2015
On 18/02/2015 2:24 p.m., Hector Chan wrote:
> Forgot to add. The actual cert is world readable.
>
> [admin at dsg214 ~]# ll
> /data/cacerts/../certs/a4a521af41327a4ab3ff1feb16a1a76888a0c2ea.crt
> -rw-r--r-- 1 admin root 1108 Feb 18 00:21
> /data/cacerts/../certs/a4a521af41327a4ab3ff1feb16a1a76888a0c2ea.crt
>
> On Tue, Feb 17, 2015 at 5:18 PM, Hector Chan <hectorchan at gmail.com> wrote:
>
>> Hi All,
>>
>> I have a question about using sslcapath in cache_peer. My
>> server.example.com has a self-signed cert, which I imported into my squid
>> box under /data/certs. The following cache_peer line actually worked.
>> However, if I remove the sslcafile, squid won't verify the self-signed cert.
>>
>> cache_peer server.example.com parent 443 0 \
>> no-query originserver ssl \
>> forceddomain=server.example.com \
>> login=PASS \
>> sslcert=/data/certs/certificate sslkey=/data/certs/key \
>> ssloptions=NO_SSLv2,NO_SSLv3 \
>> sslcafile=/data/cacerts/72af835f.0 \
>> sslcapath=/data/cacerts
>>
>> [admin at dsg214 cacerts]# ls -l
>> total 0
>> lrwxrwxrwx 1 admin root 53 Feb 18 00:22 35fa123a.0 ->
>> ../certs/a4a521af41327a4ab3ff1feb16a1a76888a0c2ea.crt
>>
>> Running openssl command from the squid box verified the certificate chain
>> ok with the -CApath option, which really puzzled me.
>> # openssl s_clients -CApath /data/certs -connect server.example.com:443
>>
>> Any ideas?
Those parameters are treated as strings passed directly as the input to
this OpenSSL API:
<http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html>
It does not seem to define what happens if CAFile is NULL. So anything
could happen.
Amos
More information about the squid-users
mailing list