[squid-users] sending certificate chain from squid reverse proxy
Kate Dawson
aland at burngreave.net
Tue Jul 16 12:34:12 UTC 2019
Hi,
Is it possible to send a certificate chain from squid when it's used in
reverse proxy (accel) mode and compiled with gnutls ?
I am running Debian Buster, and the packaged squid https://packages.debian.org/buster/squid is 4.6-1
squid -v reports that it is compiled --with-gnutls
I have the following line (for squid proxy in front of Microsoft Exchange 2016).
https_port 443 accel tls-cert=fullchain.crt tls-key=privkey.pem defaultsite=webmail.example.com vhost connection-auth=off tls-dh=dh2048.pem
Where fullchain.crt is a concatenation of the public certificate and an
intermediate CA.
From the http://www.squid-cache.org/Versions/v4/cfgman/http_port.html
page it says regarding the tls-cert option
tls-cert= Path to file containing an X.509 certificate (PEM format)
to be used in the TLS handshake ServerHello.
...
When OpenSSL is used this file may also contain a
chain of intermediate CA certificates to send in the
TLS handshake.
When GnuTLS is used this option (and any paired
tls-key= option) may be repeated to load multiple
certificates for different domains.
is it possible to send an intermediate certificate when build with GnuTLS, and if so, what is the options ?
Thanks in advance,
Kate Dawson
--
"The introduction of a coordinate system to geometry is an act of violence"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190716/52cab04d/attachment.sig>
More information about the squid-users
mailing list