On Wed, 23 Feb 2011 15:19:20 -0800 (PST), gohone wrote:
> Thanks for you reply.
>
> You are right about the old setting "acl all src 0.0.0.0/0.0.0.0" . I
> removed it and the warning message has disappeared when the daemon
> is
> restarted.
>
> Concerning my main issue I don't understand when you suggest "You
> can
> present a real non- self-signed certificate to the visitors via
> http_port. "
>
> I already have in my conf --> "https_port 443 accel
> cert=/path/owa.pem
> key=/path/ owa.pem defaultsite=exchange_outside vhost"
>
> What is the setting you advise me to add in my config ?
No setting. The certificate MUST be one which the client will accept.
There are two ways to make the client accept it;
one is to install your self-signing CA on the client (popular amongst
home LAN and business internal setups)
the other is to pay some commonly recognised CA (who has already gone
to the trouble of installing their CA in the browsers) to sign the
certificate for you.
Since the cert Exchange is presenting is accepted by your clients, then
I would suggest using that cert on Squid's http_port instead of a
self-signed one. There are a lot of discussions and tutorials on the web
and this mailing list about how to do that.
Amos
Received on Wed Feb 23 2011 - 23:27:53 MST
This archive was generated by hypermail 2.2.0 : Thu Feb 24 2011 - 12:00:03 MST