Re: [squid-users] SSL certificate on Squid 2.5, CA keys seem to be ignored

From: Justin Albstmeijer <justin@dont-contact.us>
Date: Wed, 1 Jan 2003 21:22:05 +0100 (CET)

Henrik,

Thanx, this solved my issue.

> justin@tryllian.com wrote:
>
>> If I try to get these sertificates to work with Squid 2.5 (https_port
>> 443 cert=/usr/local/squid/etc/server.pem) and put all 3 certificates +
>> the private key in 1 pem file... the CA is not recognized by my
>> browser.. in the certificate hierarchy there is no mention of any CA,
>> only my key is shown..
>
> You might want to try the SSL update available from
> http://devel.squid-cache.org/ssl/, it includes support for SSL
> certificate chains.
>
> If you do not feel like using the whole SSL update then just the
> following change in ssl_support.c should do the trick:
>

The whole SSL patch did not compile with squid-2.5-stable1

> From:
> if (!SSL_CTX_use_certificate_file(sslContext, certfile,
> SSL_FILETYPE_PEM)) {
> To:
> if (!SSL_CTX_use_certificate_chain_file(sslContext, certfile)) {

Just one remark:

In my chrooted squid installation it did not work..
As soon as I tried the "SSL_CTX_use_certificate_chain_file" compiled
binary.. I got the following error on startup:

error:02001002:system library:fopen:No such file or directory

when trying to open my server.pem file.

With a strace, it was clear it opened the server.pem file...

Eventualy it was the fact that I had no "/usr/share/ssl/openssl.cnf" that
caused this problem...with SSL_CTX_use_certificate_file this had been no
problem.

Is there a good explanation for this?

>
> Regards
> Henrik

Justin
Received on Wed Jan 01 2003 - 13:22:12 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:12:24 MST