Re: [squid-users] Squid3 and certificates in a cluster

From: Henrik Nordstrom <henrik@dont-contact.us>
Date: Mon, 10 Apr 2006 11:18:02 +0200

sön 2006-04-09 klockan 21:10 -0700 skrev Discussion Lists:
> Suppose I have two squid3 machines that are clustered, and I want them
> both to offer reverse SSL proxy (depending on whichever is active of
> course). Assuming that all is set up correctly, couldn't I just keep
> identical copies of the certificate and key on each machine and expect
> Squid3 and the Internet to not know the difference?

Yes.

In fact this is even a MUST for clustered SSL servers as otherwise the
clients will get quite confused if they get different certificates from
the same server..

Please note that it is also important you set the sslcontext differently
on the members of the cluster (or alternatively disable the SSL session
reuse entirely if you have an RSA accelerator chip or lots of spare CPU
time..). If not there is a slight risk of confusion in SSL session reuse
causing random client communication failures.

Regards
Henrik

Received on Mon Apr 10 2006 - 03:18:11 MDT

This archive was generated by hypermail pre-2.1.9 : Mon May 01 2006 - 12:00:02 MDT