[squid-users] Communication fails between parent and child if using SSL/TLS
Amos Jeffries
squid3 at treenet.co.nz
Sun Mar 26 19:42:46 UTC 2017
On 27/03/2017 1:01 a.m., Jānis wrote:
>
> Citēts Jānis
> Sun, 26 Mar 2017 14:56:32 +0300:
>
>> Hi!
>>
>> theoretically, I have configured two squids in a parent-child cache
>> structure.
>>
>> It works perfectly if it is just "plaintext" communications, but is i
>> set the to use ssl (for non https traffic),
>> the following error occurs:
>> X-Squid-Error: ERR_CONNECT_FAIL 111
>>
>> and
>>
>> TCP connection to PARENT/PORT failed
>>
>> pop: lookup for key {PARENT/PORT} failed
>>
>> child's cache_peer config:
>>
>> cache_peer PARENT parent PORT 0 proxy-only ssl \
>> sslcert=/path/to/cert.pem \
>> sslkey=/path/to/key.key \
>> sslflags=DONT_VERIFY_PEER
>>
>> parent's:
>>
>> https_port PORT \
>> cert=/path/to/parent/cert.pem \
>> key=/path/to/parent/key.key \
>> sslflags=NO_DEFAULT_CA
>>
>> yes, and parent for some reason is not listening on PORT (according to
>> netstat -l -n)
>>
>> connection for child to parent - allowed (is stay the same either for
>> non-ssl or ssl-enabled cfg.
>>
>> squid's .configure:
>> --prefix=/usr \
>> --libdir=/usr/lib${LIBDIRSUFFIX} \
>> --sysconfdir=/etc/squid \
>> --localstatedir=/var/log/squid \
>> --datadir=/usr/share/squid \
>> --with-pidfile=/var/run/squid \
>> --mandir=/usr/man \
>> --with-logdir=/var/log/squid \
>> --disable-devpoll \
>> --enable-snmp \
>> --enable-ssl \
>> --enable-linux-netfilter \
>> --enable-async-io \
>> --disable-translation \
>> --build=$ARCH-slackware-linux
>>
>> What disappoints - with older version of squid it worked. The upgrade
>> turned it down.
By "the upgrade" you mean what version(s) changed?
>
> bots ends use gnutls.
>
GnuTLS support is not available for https_port yet. You need
build option --with-openssl for at least that part. --enable-ssl is
deprecated.
Amos
More information about the squid-users
mailing list