[prev in list] [next in list] [prev in thread] [next in thread]
List: squid-users
Subject: Re: [squid-users] cache-peer and tls
From: Amos Jeffries <squid3 () treenet ! co ! nz>
Date: 2019-08-04 3:00:52
Message-ID: 53442a63-6456-fe18-2801-4e3e999d8c11 () treenet ! co ! nz
[Download RAW message or body]
On 4/08/19 2:11 am, Eugene M. Zheganin wrote:
> Hello,
>
>
> I'm using squid 4.6 and I need to TLS-encrypt the session to the parent
> proxy. I have in config:
>
>
> cache_peer proxy.foo.bar parent 3129 3130 tls
> tls-cafile=/usr/local/etc/squid/certs/le.pem
> sslcert=/usr/local/etc/letsencrypt/live/vpn.enazadev.ru/cert.pem
> sslkey=/usr/local/etc/letsencrypt/live/vpn.enazadev.ru/privkey.pem
> sslflags=DONT_VERIFY_DOMAIN,DONT_VERIFY_PEER
>
Please start with "squid -k parse" and update those to the Squid-4 options.
Also, any errors/warnings mentioned about the PEM files contents need to
be fixed.
>
> But no matter what I'm doing, squid keeps telling in logs that he
> doesn't like the peer certificate:
>
>
> 2019/08/03 18:42:24 kid1| ERROR: negotiating TLS on FD 23:
> error:14090086:SSL routines:ssl3_get_server_certificate:certificate
> verify failed (1/-1/0)
> 2019/08/03 18:42:24 kid1| temporary disabling (Service Unavailable)
> digest from proxy.foo.bar
>
> and then he's going directly bypassing the peer. :/
>
>
> Is there any way to tell him that I don't care ?
>
You really should care. There is no point in TLS to a peer if you are
going to ignore whether the right peer is even being connected to.
Amos
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic