[squid-users] squid 4.0.3 - sslflags not working?
Florian Stamer
florian.stamer at basys-bremen.de
Sun Jan 3 19:58:08 UTC 2016
Hi I,m currently testing Squid 4.0.3 in Reverse Proxy Mode.
It seems that the sslflags directives "DONT_VERIFY_PEER" and "DONT_VERIFY_DOMAIN" do not work.
Here is the relevant config:
https_port 443 accel cert=/etc/squid/ssl/wildcard.cer key=/etc/squid/ssl/wildcard.key defaultsite=externeURL cipher=HIGH:!aNULL options=SINGLE_DH_USE,NO_SSLv3 dhparams=/etc/squid/ssl/dhparams.pem
cache_peer localserver parent 443 0 proxy-only no-query no-digest front-end-https=on originserver login=PASS ssl ssloptions=NO_SSLv3 sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN name=ExchangeCAS
It perfectly workes in my production System based on Ubuntu LTS 14.04.3, Squid 3.3.8.
Everytime i try to access the site i get an error:
The system returned:
(71) Protocol error (TLS code: SQUID_X509_V_ERR_DOMAIN_MISMATCH)
Certificate does not match domainname
I'm using a SAN Certificate...
I can workaround this using the directive "sslproxy_cert_error allow all". But that is not what i want...
Are there any issues known?
Is something wrong with my config?
Regards,
Florian Stamer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160103/6a49e5da/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 9849 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160103/6a49e5da/attachment-0001.bin>
More information about the squid-users
mailing list