[prev in list] [next in list] [prev in thread] [next in thread] 

List:       squid-users
Subject:    Re: [squid-users] cache-peer and tls
From:       Amos Jeffries <squid3 () treenet ! co ! nz>
Date:       2019-08-04 3:00:52
Message-ID: 53442a63-6456-fe18-2801-4e3e999d8c11 () treenet ! co ! nz
[Download RAW message or body]

On 4/08/19 2:11 am, Eugene M. Zheganin wrote:
> Hello,
> 
> 
> I'm using squid 4.6 and I need to TLS-encrypt the session to the parent
> proxy. I have in config:
> 
> 
> cache_peer proxy.foo.bar parent 3129 3130 tls
> tls-cafile=/usr/local/etc/squid/certs/le.pem
> sslcert=/usr/local/etc/letsencrypt/live/vpn.enazadev.ru/cert.pem
> sslkey=/usr/local/etc/letsencrypt/live/vpn.enazadev.ru/privkey.pem
> sslflags=DONT_VERIFY_DOMAIN,DONT_VERIFY_PEER
> 

Please start with "squid -k parse" and update those to the Squid-4 options.

Also, any errors/warnings mentioned about the PEM files contents need to
be fixed.


> 
> But no matter what I'm doing, squid keeps telling in logs that he
> doesn't like the peer certificate:
> 
> 
> 2019/08/03 18:42:24 kid1| ERROR: negotiating TLS on FD 23:
> error:14090086:SSL routines:ssl3_get_server_certificate:certificate
> verify failed (1/-1/0)
> 2019/08/03 18:42:24 kid1| temporary disabling (Service Unavailable)
> digest from proxy.foo.bar
> 
> and then he's going directly bypassing the peer. :/
> 
> 
> Is there any way to tell him that I don't care ?
> 

You really should care. There is no point in TLS to a peer if you are
going to ignore whether the right peer is even being connected to.


Amos
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[prev in list] [next in list] [prev in thread] [next in thread]