[squid-users] squid 4.0.3 - sslflags not working?

Amos Jeffries squid3 at treenet.co.nz
Sun Jan 10 05:08:18 UTC 2016


On 9/01/2016 10:06 a.m., Florian Stamer wrote:
> Hi,
> 
> testet the latest Snapshot and the 4.0.4
> 
> Still the same.

Thanks for the quick feedback. Not sure what to look at this point, the
context creation logic in Squid all seems to be checking the right flags.

Hopefully Christos might have an idea what I'm overlooking, so cc'ing
just in case he has not seen this yet.

Amos

> -----Ursprüngliche Nachricht-----
> Von: Amos Jeffries
> 
> On 4/01/2016 8:58 a.m., Florian Stamer wrote:
>> Hi I,m currently testing Squid 4.0.3 in Reverse Proxy Mode.
>>
>> It seems that the sslflags directives "DONT_VERIFY_PEER" and "DONT_VERIFY_DOMAIN" do not work.
>>
> 
> Should be. They are planned for removal, but nothing towards that has ot happened yet.
> 
>> Here is the relevant config:
>>
>> https_port 443 accel cert=/etc/squid/ssl/wildcard.cer
>> key=/etc/squid/ssl/wildcard.key defaultsite=externeURL
>> cipher=HIGH:!aNULL options=SINGLE_DH_USE,NO_SSLv3
>> dhparams=/etc/squid/ssl/dhparams.pem

>> cache_peer localserver parent 443 0 proxy-only no-query no-digest
>> front-end-https=on originserver login=PASS ssl ssloptions=NO_SSLv3
>> sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN name=ExchangeCAS
>>
>> It perfectly workes in my production System based on Ubuntu LTS 14.04.3, Squid 3.3.8.
>>
>> Everytime i try to access the site i get an error:
>>
>> The system returned:
>> (71) Protocol error (TLS code: SQUID_X509_V_ERR_DOMAIN_MISMATCH)
>> Certificate does not match domainname
>>
>> I'm using a SAN Certificate...
>>
>> I can workaround this using the directive "sslproxy_cert_error allow all". But that is not what i want...
>>
>> Are there any issues known?
>> Is something wrong with my config?
> 
> Nothing obvious.
> 
> It might be related to one of the issues fixed since 4.0.3 was packaged.
> Are you able to try the latest 4.x snapshot ?
> 
> Amos




More information about the squid-users mailing list