RE: [squid-users] SSL Reverse Proxy testing With Invalid Certificate, can it be done.

> -----Original Message-----
> From: Henrik Nordstrom [mailto:henrik_at_henriknordstrom.net]
> Sent: Monday, October 05, 2009 4:48 AM
> To: Dean Weimer
> Cc: squid-users_at_squid-cache.org
> Subject: Re: [squid-users] SSL Reverse Proxy testing With Invalid
> Certificate, can it be done.
>
> fre 2009-09-25 klockan 10:57 -0500 skrev Dean Weimer:
>
> > 2009/09/25 11:38:07| SSL unknown certificate error 18 in...
> > 2009/09/25 11:38:07| fwdNegotiateSSL: Error negotiating SSL
> connection on FD 15: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
(1/-1/0)
>
> This is your Squid trying to use SSL to connect to the requested
> server.
> Not related to the http_port certificate settings.
>
> validation requirements on peer certificates is set in cache_peer.
>
> Regards
> Henrik

I was running Squid 3.0.STABLE19 on the test system. Here are the
configuration lines from the original test. At one point I had added
cert lines on the cache_peer before realizing that those were only for
use when certificate authentication was needed on the parent. I can't
remember for sure if the log was copied form when I had those options on
or not, I still had an invalid certificate error after removing them but
it may have been a different error number.

https_port 443 accel cert=/usr/local/squid/etc/certs/server.crt
key=/usr/local/squid/etc/certs/server.key defaultsite=mysite vhost

cache_peer 1.2.3.4 parent 443 0 no-query originserver ssl
sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN name=secure_mysite

My production server is a couple revisions behind, currently running
STABLE17, it will be updated to 19 this coming weekend. I did not test
it with the fake certificate.

Thanks,
     Dean Weimer
     Network Administrator
     Orscheln Management Co
Received on Mon Oct 05 2009 - 14:12:10 MDT