[squid-users] cache-peer and tls
Amos Jeffries
squid3 at treenet.co.nz
Sun Aug 4 03:00:52 UTC 2019
On 4/08/19 2:11 am, Eugene M. Zheganin wrote:
> Hello,
>
>
> I'm using squid 4.6 and I need to TLS-encrypt the session to the parent
> proxy. I have in config:
>
>
> cache_peer proxy.foo.bar parent 3129 3130 tls
> tls-cafile=/usr/local/etc/squid/certs/le.pem
> sslcert=/usr/local/etc/letsencrypt/live/vpn.enazadev.ru/cert.pem
> sslkey=/usr/local/etc/letsencrypt/live/vpn.enazadev.ru/privkey.pem
> sslflags=DONT_VERIFY_DOMAIN,DONT_VERIFY_PEER
>
Please start with "squid -k parse" and update those to the Squid-4 options.
Also, any errors/warnings mentioned about the PEM files contents need to
be fixed.
>
> But no matter what I'm doing, squid keeps telling in logs that he
> doesn't like the peer certificate:
>
>
> 2019/08/03 18:42:24 kid1| ERROR: negotiating TLS on FD 23:
> error:14090086:SSL routines:ssl3_get_server_certificate:certificate
> verify failed (1/-1/0)
> 2019/08/03 18:42:24 kid1| temporary disabling (Service Unavailable)
> digest from proxy.foo.bar
>
> and then he's going directly bypassing the peer. :/
>
>
> Is there any way to tell him that I don't care ?
>
You really should care. There is no point in TLS to a peer if you are
going to ignore whether the right peer is even being connected to.
Amos
More information about the squid-users
mailing list