RE: [squid-users] SSL Reverse Proxy testing With Invalid Certificate, can it be done. from Dean Weimer on 2009-09-29 (squid-users)

From: Dean Weimer <dweimer_at_orscheln.com>
Date: Tue, 29 Sep 2009 07:54:00 -0500

> -----Original Message-----
> From: Chris Robertson [mailto:crobertson_at_gci.net]
> Sent: Monday, September 28, 2009 4:16 PM
> To: squid-users_at_squid-cache.org
> Subject: Re: [squid-users] SSL Reverse Proxy testing With Invalid
> Certificate, can it be done.
>
> Dean Weimer wrote:
> > I am trying to setup a test with an SSL reverse proxy on an intranet
> site, I currently have a fake self signed certificate and the server
is
> answering on the HTTP side just fine, and answering on the HTTPS
> however I get a (92) protocol error returned from the proxy when
trying
> to access it through HTTPS.
> >
> > I have added the following lines for the HTTPS option
> >
> > https_port 443 accel cert=/usr/local/squid/etc/certs/server.crt
> key=/usr/local/squid/etc/certs/server.key defaultsite=mysite vhost
> >
> > cache_peer 10.20.10.76 parent 443 0 no-query originserver ssl
> sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN name=secure_mysite
> >
> > From the log I can see the error is caused by the invalid
> certificate.
> >
> > 2009/09/25 11:38:07| SSL unknown certificate error 18 in...
> > 2009/09/25 11:38:07| fwdNegotiateSSL: Error negotiating SSL
> connection on FD 15: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
(1/-1/0)
> >
> > Is there a way that I can tell it to go ahead and trust this fake
> certificate during testing while I wait for the actual certificate
that
> is valid, to be issued.
> >
>
> Perhaps http://www.squid-cache.org/Doc/config/sslproxy_flags/
>
> >
> > Thanks,
> > Dean Weimer
> > Network Administrator
> > Orscheln Management Co
> >
>
> Chris

I didn't see that one, though I have the real certificate now and
everything is working with it. I figure the sslflags on the cache peer
settings should accomplish the same thing, but they didn't seem to make
a difference whether I included them or not.

Thanks,
     Dean Weimer
     Network Administrator
     Orscheln Management Co
Received on Tue Sep 29 2009 - 12:55:11 MDT

This archive was generated by hypermail 2.2.0 : Tue Sep 29 2009 - 12:00:03 MDT