[squid-users] Squid reject self-signed SSL certificate of ICAP server

Alex Rousskov rousskov at measurement-factory.com
Wed Jun 21 16:46:46 UTC 2017


On 06/21/2017 10:15 AM, Nikita wrote:

> Is it possible to allow self-signed SSL certificates for ICAP server
> connections somehow?

Can you configure your OpenSSL library (or equivalent) to trust the ICAP
server certificate? Squid deletages most of the certificate validation
work to OpenSSL (or equivalent).


> There is tls-flags=DONT_VERIFY_PEER flag, but in this case Squid
> don't send it's own certificate to ICAP server

Why do you think tls-flags=DONT_VERIFY_PEER only works if Squid sends
its own certificate? The two actions (from-peer certificate validation
and sending of a certificate to a peer) seem unrelated to me.

Alex.


More information about the squid-users mailing list