Re: [squid-users] problem config squid3 as ssl accelerator

From: Henrik Nordstrom <henrik@dont-contact.us>
Date: Thu, 21 Dec 2006 00:15:45 +0100

ons 2006-12-20 klockan 18:17 +0800 skrev Jasenux Wong:
> from the squid (squid -d 9 -N) box i get this:
> TCP connection to xxxx/failed
> fwNegotiateSSL: Error negotiating SSL connection on FD 13:....
> certificate verify failed (1/-1/0)

The CA issuing the certificate used by the server is not trusted by your
Squid..

> my squid.conf,
> http_port 80
> https_port 443 cert=mycert.pem accel defaultsite=targetwebserver
> ssl_unclean_shutdown on
> sslproxy_capath /etc/ssl/certs
> sslproxy_flags DONT_VERIFY_PEER DONT_VERIFY_DOMAIN
> cache_peer targetwebserver parent 443 0 proxy-only no-query default
> originserver ssl front-end-https=auto

cache_peer has it's own SSL flags etc.. The settings set in sslproxy_*
isn't used there. See the cache_peer directive.

The sslproxy_* directives is used by Squid when forwarding requests
direct or via "normal" proxy type peers (not origin type)..

Regards
Henrik

Received on Wed Dec 20 2006 - 16:15:54 MST

This archive was generated by hypermail pre-2.1.9 : Mon Jan 01 2007 - 12:00:01 MST