Re: [squid-users] squid2.6.STABLE21: reverse proxy+chained SSL certificates

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 23 May 2009 14:17:34 +1200

Joaqu�n Puga wrote:
> Hi everybody.
>
> We are running squid2.6.STABLE21 as a reverse proxy. Verisign does not
> issue unchained certificates anymore, so we have to use a chained one.
> I have been researching how to configure squid to use the chained
> certs, but I'd like that someone could confirm whether I'm right or
> wrong.
>
> 1) squid2.6.STABLE21 supports chained certificates
> 2) This is our current https_port with the unchained cert:
> https_port x.y.w.z:443 cert=/etc/squid/certs/ww1.pem
> key=/etc/squid/certs/ww1key.pem version=1 accel vhost
>
> In this thread (http://www.squid-cache.org/mail-archive/squid-users/200509/0289.html)
> Henrik mentions:
>
> "Certificate chains is supported by Squid-3 or the SSL update patch to
> Squid-2.5. You then enable the use of chained certificates by
> appending the CA certificate to your server certificate, both in the
> same file with the server certificate first and followed by the CA
> certificate chain."
>
> This means I just have to download the X.509 CA intermediate cert.,
> the chained cert., and put both together in /etc/squid/certs/ww1.pem.
> Then it should work, right? Is there anything else I need to do?

Henrik added what he documents as "primitive chained certificates" from
2.6.STABLE15 with various fixes to it up until STABLE21.

I'm not certain though of how much of the certificate protocols are
usable, you will likely need to test and find out.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15
   Current Beta Squid 3.1.0.7
Received on Sat May 23 2009 - 02:17:41 MDT

This archive was generated by hypermail 2.2.0 : Sat May 23 2009 - 12:00:02 MDT