[squid-users] Re: SSL gateway using chained certs? from Jan Legenhausen on 2003-12-17 (squid-users)

From: Jan Legenhausen <jleg@dont-contact.us>
Date: Wed, 17 Dec 2003 10:09:05 +0100

--On Dienstag, 16. Dezember 2003 15:30 -0800 Paul <paul@oz.net> wrote:

> Can squid (squid-2.5.STABLE1-2 running under RH9 Linux) be
> configured to handled *chained* SSL certificates (e.g. from
> FreeSSL.com) for SSL to HTTP gatewaying? Before I purchase
> chained cert (much cheaper than usual certs), I'd like to hear
> from anyone who has direct experience.

Yes, this works with the patch from this place:
<http://devel.squid-cache.org/old_projects.html#ssl>

We are running 2.5STABLE2 in productive environment with this (using Comodo
Certs).
You not even have to use the new squid.conf-options then, simply putting
the certs into one file did the job...

regards, Jan

>
> With chained certs, you get the usual web certificate *plus* a second
> certificate (e.g. chain.crt) to complete the chain of trust to a root CA.
>
> The only real documentation I've found on using squid to gateway
> SSL to http is in the squid.conf file appended below. Not *sure*
> from the documentation if it's possible to fit a *chained* cert
> into the https_port tag.
>
> Thank you in advance for any help,
>
> -- Paul
>
># TAG: https_port
># Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...]
> ...
># You may specify multiple socket addresses on multiple lines,
># each with their own SSL certificate and/or options.
> ...
># cert= Path to SSL certificate (PEM format)
>#
># key= Path to SSL private key file (PEM format)
># if not specified, the certificate file is
># assumed to be a combined certificate and
># key file
>#
># version= The version of SSL/TLS supported
># 1 automatic (default)
># 2 SSLv2 only
># 3 SSLv3 only
># 4 TLSv1 only
>#
># cipher= Colon separated list of supported ciphers
>#
># options= Varions SSL engine options. The most important
># being:
># NO_SSLv2 Disallow the use of SSLv2
># NO_SSLv3 Disallow the use of SSLv3
># NO_TLSv1 Disallow the use of TLSv1
># See src/ssl_support.c or OpenSSL documentation
># for a more complete list.
>
>
>
Received on Wed Dec 17 2003 - 02:09:23 MST

This archive was generated by hypermail pre-2.1.9 : Thu Jan 01 2004 - 12:00:14 MST