Re: [squid-users] SSL Reverse Proxy testing With Invalid Certificate, can it be done.
fre 2009-09-25 klockan 10:57 -0500 skrev Dean Weimer: 2009/09/25 11:38:07| SSL unknown certificate error 18 in... 2009/09/25 11:38:07| fwdNegotiateSSL: Error negotiating SSL connection on FD 15: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0) This is your Squid trying to use SSL to connect to the requested server. Not related to the http_port certificate settings. validation requirements on peer certificates is set in cache_peer. Regards Henrik
RE: [squid-users] SSL Reverse Proxy testing With Invalid Certificate, can it be done.
tis 2009-09-29 klockan 07:54 -0500 skrev Dean Weimer: I didn't see that one, though I have the real certificate now and everything is working with it. I figure the sslflags on the cache peer settings should accomplish the same thing, but they didn't seem to make a difference whether I included them or not. It should. Which versions of Squid are you running? Regards Henrik
RE: [squid-users] SSL Reverse Proxy testing With Invalid Certificate, can it be done.
-Original Message- From: Henrik Nordstrom [mailto:hen...@henriknordstrom.net] Sent: Monday, October 05, 2009 4:48 AM To: Dean Weimer Cc: squid-users@squid-cache.org Subject: Re: [squid-users] SSL Reverse Proxy testing With Invalid Certificate, can it be done. fre 2009-09-25 klockan 10:57 -0500 skrev Dean Weimer: 2009/09/25 11:38:07| SSL unknown certificate error 18 in... 2009/09/25 11:38:07| fwdNegotiateSSL: Error negotiating SSL connection on FD 15: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0) This is your Squid trying to use SSL to connect to the requested server. Not related to the http_port certificate settings. validation requirements on peer certificates is set in cache_peer. Regards Henrik I was running Squid 3.0.STABLE19 on the test system. Here are the configuration lines from the original test. At one point I had added cert lines on the cache_peer before realizing that those were only for use when certificate authentication was needed on the parent. I can't remember for sure if the log was copied form when I had those options on or not, I still had an invalid certificate error after removing them but it may have been a different error number. https_port 443 accel cert=/usr/local/squid/etc/certs/server.crt key=/usr/local/squid/etc/certs/server.key defaultsite=mysite vhost cache_peer 1.2.3.4 parent 443 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN name=secure_mysite My production server is a couple revisions behind, currently running STABLE17, it will be updated to 19 this coming weekend. I did not test it with the fake certificate. Thanks, Dean Weimer Network Administrator Orscheln Management Co
RE: [squid-users] SSL Reverse Proxy testing With Invalid Certificate, can it be done.
-Original Message- From: Chris Robertson [mailto:crobert...@gci.net] Sent: Monday, September 28, 2009 4:16 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] SSL Reverse Proxy testing With Invalid Certificate, can it be done. Dean Weimer wrote: I am trying to setup a test with an SSL reverse proxy on an intranet site, I currently have a fake self signed certificate and the server is answering on the HTTP side just fine, and answering on the HTTPS however I get a (92) protocol error returned from the proxy when trying to access it through HTTPS. I have added the following lines for the HTTPS option https_port 443 accel cert=/usr/local/squid/etc/certs/server.crt key=/usr/local/squid/etc/certs/server.key defaultsite=mysite vhost cache_peer 10.20.10.76 parent 443 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN name=secure_mysite From the log I can see the error is caused by the invalid certificate. 2009/09/25 11:38:07| SSL unknown certificate error 18 in... 2009/09/25 11:38:07| fwdNegotiateSSL: Error negotiating SSL connection on FD 15: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0) Is there a way that I can tell it to go ahead and trust this fake certificate during testing while I wait for the actual certificate that is valid, to be issued. Perhaps http://www.squid-cache.org/Doc/config/sslproxy_flags/ Thanks, Dean Weimer Network Administrator Orscheln Management Co Chris I didn't see that one, though I have the real certificate now and everything is working with it. I figure the sslflags on the cache peer settings should accomplish the same thing, but they didn't seem to make a difference whether I included them or not. Thanks, Dean Weimer Network Administrator Orscheln Management Co
Re: [squid-users] SSL Reverse Proxy testing With Invalid Certificate, can it be done.
Dean Weimer wrote: I am trying to setup a test with an SSL reverse proxy on an intranet site, I currently have a fake self signed certificate and the server is answering on the HTTP side just fine, and answering on the HTTPS however I get a (92) protocol error returned from the proxy when trying to access it through HTTPS. I have added the following lines for the HTTPS option https_port 443 accel cert=/usr/local/squid/etc/certs/server.crt key=/usr/local/squid/etc/certs/server.key defaultsite=mysite vhost cache_peer 10.20.10.76 parent 443 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN name=secure_mysite From the log I can see the error is caused by the invalid certificate. 2009/09/25 11:38:07| SSL unknown certificate error 18 in... 2009/09/25 11:38:07| fwdNegotiateSSL: Error negotiating SSL connection on FD 15: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0) Is there a way that I can tell it to go ahead and trust this fake certificate during testing while I wait for the actual certificate that is valid, to be issued. Perhaps http://www.squid-cache.org/Doc/config/sslproxy_flags/ Thanks, Dean Weimer Network Administrator Orscheln Management Co Chris