[squid-users] Multiple SSL certificates on same IP

Bruno de Paula Larini bruno.larini at riosoft.com.br
Thu Dec 20 12:45:49 UTC 2018


Em 19/12/2018 20:09, Amos Jeffries escreveu:
> OpenSSL definitely can use only one certificate per http(s)_port. Either
> the _last_ loaded if several PEM files are loaded (each call to the
> OpenSSL API *replaces* the certs loaded), or if one tries to work around
> that by merging everything into a single PEM and only loading it all at
> once - only the _first_ cert chain is ever used from that set.
Sorry for maybe going a bit off-topic, just curious about it.
I'm mostly clueless about the implications and intricacies of "behind 
the scenes" of SNI, but most modern webservers support it (Apache, 
nginx, IIS). Apache, for instance, says it should be built with "OpenSSL 
with the TLS Extensions option enabled", since OpenSSL v0.9.8f. And 
their configuration for Virtual Hosts and SSL/TLS is rather simple on a 
user's view .

So, my question would be: why Squid would have problems with SNI and 
OpenSSL when other webservers/proxies have this feature using 
OpenSSL/LibreSSL libs?

In my (user's) opinion, Squid has far more complex features with SSL 
Bump and other forward proxy handling for SSL/TLS. Why SNI would be such 
a big deal?

-Bruno



More information about the squid-users mailing list