Re: [squid-users] Re: SSL gateway using chained certs?

From: Paul <paul@dont-contact.us>
Date: Wed, 17 Dec 2003 04:57:46 -0800 (PST)

> Squid doesn't support chained SSL certificates by default. However, you
> could apply the attached patch which adds that capability. It's for
> squid-2.5.STABLE4, but it probably fits onto older releases as well.

Thanks Uwe and Henrik and Jan. This was the missing piece of the
puzzle (i.e. SSL_CTX_use_certificate_chain_file). It turns out that
the current squid-2.5.STABLE1-2 package on RH9 Linux has some SSL
support backported into it, but not SSL_CTX_use_certificate_chain_file:

  # rpm -ql openssl | grep ^/lib
  /lib/libcrypto.so.0.9.7a
  /lib/libssl.so.0.9.7a

  # ldd /usr/sbin/squid | egrep lib"crypto|ssl"
  libssl.so.4 => /lib/libssl.so.4 (0x40061000)
  libcrypto.so.4 => /lib/libcrypto.so.4 (0x40096000)

  # strings /usr/sbin/squid | egrep "enable-ssl|SSL_CTX_use"
  SSL_CTX_use_PrivateKey_file
  SSL_CTX_use_certificate_file
  --host=i386-redhat-linux --build=i386-redhat-linux
  --target=i386-redhat-linux-gnu --program-prefix= --prefix=/usr
  --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc
  --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib
  --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/usr/com
  --mandir=/usr/share/man --infodir=/usr/share/info --exec_prefix=/usr
  --bindir=/usr/sbin --libexecdir=/usr/lib/squid --localstatedir=/var
  --sysconfdir=/etc/squid --enable-poll --enable-snmp
  --enable-removal-policies=heap,lru --enable-storeio=aufs,coss,diskd,ufs
  --enable-ssl --with-openssl=/usr/kerberos --enable-delay-pools
  --enable-linux-netfilter --with-pthreads
  --enable-basic-auth-helpers=LDAP,NCSA,PAM,SMB,SASL,MSNT
  --enable-ntlm-auth-helpers=SMB,winbind
  --enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group,winbind_group

Hopefully wildcard chained certs will work as well with your patch ...

-- Paul
Received on Wed Dec 17 2003 - 07:02:11 MST

This archive was generated by hypermail pre-2.1.9 : Thu Jan 01 2004 - 12:00:15 MST