On 19/02/2012 5:42 a.m., ALAA MURAD wrote:
> Dear Amos ,
>
> Thanks again for your continues support. I hope at the end of this we
> can have a complete and a simple configuration for everyone that want
> to have a simple secure reverse proxy.
>
> I always like to do things the right way, but the SSL is the only
> thing standing in my way. I really don't like the
> 'sslflags=DONT_VERIFY_PEER' either but removing it causing many
> problems.
>
> As you can see from
> https_port 443 cert=C:/Interceptor/cert/baj.cert key=C:/Interceptor/cert/baj.key
>
> Those are the OpenSSL Pem conversion for my actual domain certificate,
> I did also generate a pem for the CA, and tried all possible
> combination of capath , cafile, clientca& sslproxy_capath to insert
> this certificate CA but without success (getting different errors)
Nono. The root CA are installed into OpenSSL directly. See the google
links below.
>
> So as you said "Without it Squid attempts to validate the peer SSL
> certificate against the root CA Squid (via the openssl library)
> trusts." I'm not sure what is the connection between the two , I do
> have OpenSSL installed but only for conversion of the certificates
> (from cert, to pem) (Not even installed on my production squid !).
Openssl libraries (libssl ?) are what do all the work. The squid.conf
settings are just telling Squid what to send to openSSL for each type of
SSL connection: client connections (http_port), server connections
(sslproxy_*) and peer connections (cache_peer).
>
>
> My question, how to add the CA cert to OpenSSL or Squid ?
There seems to be a few tutorials on it:
http://www.google.com/search?q=add+a+custom+CA+to+openssl
Amos
Received on Sat Feb 18 2012 - 17:27:24 MST
This archive was generated by hypermail 2.2.0 : Sat Feb 18 2012 - 12:00:04 MST