Re: [squid-users] Error to test connectivity to internal MS Exchange server

Sun, 27 May 2012 03:26:00 -0700 

On 23/05/2012 10:08 a.m., Ruiyuan Jiang wrote:

Hi, all

I am trying to setup MS webmail over rpc Exchange server access through squid 
(squid 3.1.19, SPARC, Solaris 10) from internet. Here is my pilot squid 
configuration (squid.conf):

https_port 156.146.2.196:443 accel 
cert=/opt/squid-3.1.19/ssl.crt/webmail_juicycouture_com.crt 
key=/opt/squid-3.1.19/ssl.crt/webmail_juicycouture_com.key 
cafile=/opt/apache2.2.21/conf/ssl.crt/DigiCertCA.crt 
defaultsite=webmail.juicycouture.com

cache_peer 10.150.2.15 parent 443 0 no-query originserver login=PASS ssl 
sslcert=/opt/squid-3.1.19/ssl.crt/webmail_katespade_com.crt 
sslkey=/opt/squid-3.1.19/ssl.crt/webmail_katespade_com.key 
sslcafile=/opt/apache2.2.21/conf/ssl.crt/DigiCertCA.crt name=exchangeServer

<snip>

2012/05/22 17:44:15| fwdNegotiateSSL: Error negotiating SSL connection on FD 
13: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify 
failed (1/-1/0)
2012/05/22 17:44:15| TCP connection to 10.150.2.15/443 failed
2012/05/22 17:44:15| fwdNegotiateSSL: Error negotiating SSL connection on FD 
13: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify 
failed (1/-1/0)

 From the packet capture, the internal Exchange server reset the connection from the squid 
proxy server by either "Alert (Level: Fatal, Description: Unknown CA)" when I used 
above official certificates or "Alert (Level: Fatal, Description: Certificate Unknown) 
when I used internal CA signed certificate after initial https handshaking between squid and 
exchange server through https connection. Can anyone tell me how do I correctly configure 
cache_peer statement to make it work?
In case you did not figure this out already... Squid is unable to validate the exchange server certificate using either the openssl libraries trusted CA certificates or the sslcafile= parameter certificate given to verify it with.
* Check that your openSSL library trusted CA are up to date on the Squid machine - this is the most common cause of validation errors.
* Check that your /opt/apache2.2.21/conf/ssl.crt/DigiCertCA.crt file on the Squid machine contains the CA used to sign the exchange servers certificate. 

Amos

Reply via email to