[squid-users] Re: SSL gateway using chained certs?

From: Uwe Doering <gemini@dont-contact.us>
Date: Wed, 17 Dec 2003 10:23:41 +0100

Paul wrote:
> Can squid (squid-2.5.STABLE1-2 running under RH9 Linux) be
> configured to handled *chained* SSL certificates (e.g. from
> FreeSSL.com) for SSL to HTTP gatewaying? Before I purchase
> chained cert (much cheaper than usual certs), I'd like to hear
> from anyone who has direct experience.

Squid doesn't support chained SSL certificates by default. However, you
could apply the attached patch which adds that capability. It's for
squid-2.5.STABLE4, but it probably fits onto older releases as well.

> With chained certs, you get the usual web certificate *plus* a second
> certificate (e.g. chain.crt) to complete the chain of trust to a root CA.

With OpenSSL as the SSL layer the order of chained certificates in the
.crt or .pem file is important. They have to be in reverse
chaining/signing order, that is, your domain certificate first, then the
intermediate certificates up to the root certificate.

> Thank you in advance for any help,

Hope it works for you.

    Uwe

-- 
Uwe Doering         |  EscapeBox - Managed On-Demand UNIX Servers
gemini@geminix.org  |  http://www.escapebox.net

--- src/ssl_support.c Sat Feb 8 14:53:15 2003
+++ src/ssl_support.c Thu Sep 18 12:52:06 2003
@@ -327,7 +327,7 @@
         }
     }
     debug(83, 1) ("Using certificate in %s\n", certfile);
- if (!SSL_CTX_use_certificate_file(sslContext, certfile, SSL_FILETYPE_PEM)) {
+ if (!SSL_CTX_use_certificate_chain_file(sslContext, certfile)) {
         ssl_error = ERR_get_error();
         fatalf("Failed to acquire SSL certificate: %s\n",
             ERR_error_string(ssl_error, NULL));
Received on Wed Dec 17 2003 - 02:23:52 MST

This archive was generated by hypermail pre-2.1.9 : Thu Jan 01 2004 - 12:00:14 MST