> Em 19/12/2018 16:29, Patrick Chemla escreveu:
>> - Having more than one IP on the server, create SSL certificates from
>> LetsEncrypt including each a list of some domains and sub-domains
>> - Create a very bing certificate to have squid using it (not the best
>> choice because domains are of different content, far one to the other)
>> - Having squid managing all certificates on a single IP. (The best
>> because some domains have very high encryption needs, and LetsEncrypt
>> is not their preference)
>> Like a bottle in the sea: Is that possible, multiple certificates,
>> with squid 4.4 on a single IP?
> Based on what I had researched recently, Squid still doesn't handle SNI
> in accel mode, so you could set different, non-wildcard certificates to
> the websites. See:
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-4-0-x-SNI-Support-td4682018.html > But it would be nice if Amos could confirm if this information is still
> true for 4.4.
There has been some progress in that I have now tested this behaviour
both with multiple certs in different files and sharing a PEM file.
OpenSSL definitely can use only one certificate per http(s)_port. Either
the _last_ loaded if several PEM files are loaded (each call to the
OpenSSL API *replaces* the certs loaded), or if one tries to work around
that by merging everything into a single PEM and only loading it all at
once - only the _first_ cert chain is ever used from that set.
There also does not appear to be any alternative API capable of loading
multiple certs into a single security context and having them used as
leaf certs. If anyone is aware of such a mechanism I would *greatly*
appreciate hearing about it.
On the other hand the GnuTLS mechanism can simply load as many PEM's as
one wants with a single cert chain in each - it "just works". Providing
the appropriate cert chain for any requested domain in its serverHello,
or the first cert loaded if the domain has no cert at all.
FYI; there are other bugs apparently with the GnuTLS priority-string
settings (the tls-options= and tls-min-version=) which may prevent
advanced TLS tuning. And of course with GnuTLS builds one cannot yet
have a dual-purpose proxy also doing SSL-Bump on some traffic (if that
matters). So, YMMV as to whether GnuTLS is worthwhile switching to right
If you do choose to switch the squid.conf for this feature in a GnuTLS
build would look like:
Em 19/12/2018 20:09, Amos Jeffries escreveu:
> OpenSSL definitely can use only one certificate per http(s)_port. Either
> the _last_ loaded if several PEM files are loaded (each call to the
> OpenSSL API *replaces* the certs loaded), or if one tries to work around
> that by merging everything into a single PEM and only loading it all at
> once - only the _first_ cert chain is ever used from that set.
Sorry for maybe going a bit off-topic, just curious about it.
I'm mostly clueless about the implications and intricacies of "behind
the scenes" of SNI, but most modern webservers support it (Apache,
nginx, IIS). Apache, for instance, says it should be built with "OpenSSL
with the TLS Extensions option enabled", since OpenSSL v0.9.8f. And
their configuration for Virtual Hosts and SSL/TLS is rather simple on a
user's view .
So, my question would be: why Squid would have problems with SNI and
OpenSSL when other webservers/proxies have this feature using
In my (user's) opinion, Squid has far more complex features with SSL
Bump and other forward proxy handling for SSL/TLS. Why SNI would be such
a big deal?