[squid-users] Squid reject self-signed SSL certificate of ICAP server

Nikita jne100 at gmail.com
Thu Jun 22 09:23:14 UTC 2017


2017-06-21 19:46 GMT+03:00 Alex Rousskov <rousskov at measurement-factory.com>:

> On 06/21/2017 10:15 AM, Nikita wrote:
>
> > Is it possible to allow self-signed SSL certificates for ICAP server
> > connections somehow?
>
> Can you configure your OpenSSL library (or equivalent) to trust the ICAP
> server certificate? Squid deletages most of the certificate validation
> work to OpenSSL (or equivalent).
>
>
Probably worth a try, but generally it is undesirable in my case to modify
global OpenSSL config.


> > There is tls-flags=DONT_VERIFY_PEER flag, but in this case Squid
> > don't send it's own certificate to ICAP server
>
> Why do you think tls-flags=DONT_VERIFY_PEER only works if Squid sends
> its own certificate? The two actions (from-peer certificate validation
> and sending of a certificate to a peer) seem unrelated to me.
>
>
In my case for some unknown reasons Squid don't send its own certificate to
ICAP server, probably because of DONT_VERIFY_PEER flag, but not sure here.
BIO_do_handshake fails with "no certificate returned" on ICAP server side
despite the fact that squid certificate was specified via tls-cert and
tls-key options of icap_service config directive and ICAP server was
configured to request client certificate. It seems need to investigate
Squid source code in more detail to find some answers, thanks for advices.


> Alex.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170622/9833e502/attachment.html>


More information about the squid-users mailing list