[squid-users] HTTPS_PORT AND SSL CERT
Julien TEHERY
julien.tehery at mediactivegroup.com
Thu May 28 06:32:17 UTC 2020
I retried everything possible in terms of order in the pem file.
from my workstation, if i do "openssl s_client -showcerts -connect mysquid.mycompany.com:8443" i only get one certificate/issuer, but the same command on same server but different port (apache listenning on 443), i correctly get 2 certificates/issuers:
I precise my https configuration isn't for ssl_bump purpose but only to provide secure access to the http proxy through the WAN with a valid certificate.
Do you some of you use complete certificates (including intermediate) with squid? If yes please tell me how you made it work.
I do have the latest stable squid version built with openssl support.
If squid isn't able to do that, as we do with so many other softwares, I should consider to use an haproxy server or apache reverse proxy in front of the squid to handle correctly the SSL cert.
Regards,
________________________________
De : Julien TEHERY <julien.tehery at mediactivegroup.com>
Envoyé : mercredi 27 mai 2020 09:54
À : Amos Jeffries <squid3 at treenet.co.nz>; squid-users at lists.squid-cache.org <squid-users at lists.squid-cache.org>
Objet : RE: [squid-users] HTTPS_PORT AND SSL CERT
Unfortunately, i've just compiled/ and built deb packages a fresh new squid 4.11
Now SSL support should be fully operational, but the certificate i still not showing the intermediate.
I just tried https_port 8443 tls-cert=/etc/squid/wildcard.mycompany.com.pem
where in the pem file i have in this precise order:
* cert key
* server cert
* intermediate cert
openssl client shows only the cert issuer, as it should show both.
Did I missed something ?
On 26/05/20 7:24 pm, Julien TEHERY wrote:
> To make it work all the time i had to add my intermediate certificate
> (thawte) in the local store, so that means intermediate certificate has
> not been delivered by the squid server as it should.
The experimental GnuTLS support in Debian package does not yet support
certificate chains. That is still some ways off.
For now if there is a chain with intermediate certificates you still
need to use an OpenSSL build of Squid.
Amos
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200528/44139403/attachment-0001.html>
More information about the squid-users
mailing list