[squid-users] config Q

Amos Jeffries squid3 at treenet.co.nz
Sat Oct 24 04:01:51 UTC 2015


On 24/10/2015 2:22 p.m., Alex Samad wrote:
> Let me re ask, as I have miss understood what sslcert is used for.
> 
> 
> if cache_peer points to 127.0.0.1 433 and the cert coming back says
> office.abc.com with no subj alt for 127.0.0.1 will squid complain ? if
> so how can I get around without using the DONT_VERIFY option
> 

Set the cache_peer sslcafile= option with the PEM file containing the CA
that was used to sign the office.abc.com server certificate.

Since your peer has raw-IP you may also need to set
ssldomain=office.abc.com to inform verification that is the domain the
server cert is for.


You may also want to use sslflags=NO_DEFAULT_CA to prevent hijacking by
agents with rogue global CA certs on the peer connection.

Amos



More information about the squid-users mailing list