[squid-users] squid 4.0.3 - sslflags not working?
Amos Jeffries
squid3 at treenet.co.nz
Mon Jan 4 11:07:29 UTC 2016
On 4/01/2016 8:58 a.m., Florian Stamer wrote:
> Hi I,m currently testing Squid 4.0.3 in Reverse Proxy Mode.
>
> It seems that the sslflags directives "DONT_VERIFY_PEER" and "DONT_VERIFY_DOMAIN" do not work.
>
Should be. They are planned for removal, but nothing towards that has ot
happened yet.
> Here is the relevant config:
>
> https_port 443 accel cert=/etc/squid/ssl/wildcard.cer key=/etc/squid/ssl/wildcard.key defaultsite=externeURL cipher=HIGH:!aNULL options=SINGLE_DH_USE,NO_SSLv3 dhparams=/etc/squid/ssl/dhparams.pem
> cache_peer localserver parent 443 0 proxy-only no-query no-digest front-end-https=on originserver login=PASS ssl ssloptions=NO_SSLv3 sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN name=ExchangeCAS
>
> It perfectly workes in my production System based on Ubuntu LTS 14.04.3, Squid 3.3.8.
>
> Everytime i try to access the site i get an error:
>
> The system returned:
> (71) Protocol error (TLS code: SQUID_X509_V_ERR_DOMAIN_MISMATCH)
> Certificate does not match domainname
>
> I'm using a SAN Certificate...
>
> I can workaround this using the directive "sslproxy_cert_error allow all". But that is not what i want...
>
> Are there any issues known?
> Is something wrong with my config?
Nothing obvious.
It might be related to one of the issues fixed since 4.0.3 was packaged.
Are you able to try the latest 4.x snapshot ?
Amos
More information about the squid-users
mailing list