[squid-users] Unofficial root CAs with squid squid-users@squid-cache.org

From: nodata <[email protected]>
Date: Thu, 2 Dec 2004 15:52:03 +0100 (CET)

Hi.

I'm using Squid Version 2.5.STABLE6 in this configuration:
 Internet ->HTTPS-> squid ->HTTP-> Intranet

It works *perfectly* with a self-signed certificate.

However, if I sign a certificate with my own CA certificate, created using
the -newca option to CA.pl, it doesn't work, and I get the following
error:
 FATAL: Bungled squid.conf
The error goes away when I switch back to my self-signed certificate -
only a certificate signed by my own CA certificate does not work.

To try and find out why, I set up a secure website using Apache's httpd. I
added the SSLCACertificateFile directive, and it worked perfectly. I just
had to accept the certificate.

I tried various option to get squid to accept the CA, some of them
probably made up:
 sslflags=DONT_VERIFY_PEER
 cafile=/path/to/cert
 ca=/path/to/cert

Thinking squid couldn't take an argument to a different CA file, I
appended my CA cert to the ca-bundle.crt file, making sure the format was
exactly the same as the other certs in the file, i.e. an x509 part then
the cert.

squid -k parse still complained.

What do I need to do to get this working?
(I'm not able to patch squid because of automatic updates.)

I'm running FC3.

Thanks a lot.
Received on Thu Dec 02 2004 - 07:52:04 MST

This archive was generated by hypermail pre-2.1.9 : Sat Jan 01 2005 - 12:00:01 MST