RE: [squid-users] Squid3 and certificates in a cluster

From: Discussion Lists <discussions@dont-contact.us>
Date: Mon, 10 Apr 2006 09:18:48 -0700

Great advice, thank you!

> -----Original Message-----
> From: Henrik Nordstrom [mailto:henrik@henriknordstrom.net]
> Sent: Monday, April 10, 2006 2:18 AM
> To: Discussion Lists
> Cc: squid-users@squid-cache.org
> Subject: Re: [squid-users] Squid3 and certificates in a cluster
>
>
> sön 2006-04-09 klockan 21:10 -0700 skrev Discussion Lists:
> > Suppose I have two squid3 machines that are clustered, and
> I want them
> > both to offer reverse SSL proxy (depending on whichever is
> active of
> > course). Assuming that all is set up correctly, couldn't I
> just keep
> > identical copies of the certificate and key on each machine
> and expect
> > Squid3 and the Internet to not know the difference?
>
> Yes.
>
> In fact this is even a MUST for clustered SSL servers as
> otherwise the clients will get quite confused if they get
> different certificates from the same server..
>
> Please note that it is also important you set the sslcontext
> differently on the members of the cluster (or alternatively
> disable the SSL session reuse entirely if you have an RSA
> accelerator chip or lots of spare CPU time..). If not there
> is a slight risk of confusion in SSL session reuse causing
> random client communication failures.
>
> Regards
> Henrik
>
Received on Mon Apr 10 2006 - 10:18:53 MDT

This archive was generated by hypermail pre-2.1.9 : Mon May 01 2006 - 12:00:02 MDT