Squid reject self-signed SSL certificate of ICAP server

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Squid reject self-signed SSL certificate of ICAP server

Nikita
Hello, I'm trying to integrate Squid with secure ICAP server over icaps:// protocol for two-way authentication (icap_service configuration directive).

I find out that Squid reject self-signed certificate of ICAP server and there is no obvious workaround.

There is tls-flags=DONT_VERIFY_PEER flag, but in this case Squid don't send it's own certificate to ICAP server, so more accurate workaround needed. sslproxy_cert_error configuration directive with ssl_error acltype don't help as well.

Is it possible to allow self-signed SSL certificates for ICAP server connections somehow? Probably I miss some obvious solution since I have no experience in Squid configuration.


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid reject self-signed SSL certificate of ICAP server

Alex Rousskov
On 06/21/2017 10:15 AM, Nikita wrote:

> Is it possible to allow self-signed SSL certificates for ICAP server
> connections somehow?

Can you configure your OpenSSL library (or equivalent) to trust the ICAP
server certificate? Squid deletages most of the certificate validation
work to OpenSSL (or equivalent).


> There is tls-flags=DONT_VERIFY_PEER flag, but in this case Squid
> don't send it's own certificate to ICAP server

Why do you think tls-flags=DONT_VERIFY_PEER only works if Squid sends
its own certificate? The two actions (from-peer certificate validation
and sending of a certificate to a peer) seem unrelated to me.

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid reject self-signed SSL certificate of ICAP server

Nikita

2017-06-21 19:46 GMT+03:00 Alex Rousskov <[hidden email]>:
On 06/21/2017 10:15 AM, Nikita wrote:

> Is it possible to allow self-signed SSL certificates for ICAP server
> connections somehow?

Can you configure your OpenSSL library (or equivalent) to trust the ICAP
server certificate? Squid deletages most of the certificate validation
work to OpenSSL (or equivalent).


Probably worth a try, but generally it is undesirable in my case to modify global OpenSSL config.


> There is tls-flags=DONT_VERIFY_PEER flag, but in this case Squid
> don't send it's own certificate to ICAP server

Why do you think tls-flags=DONT_VERIFY_PEER only works if Squid sends
its own certificate? The two actions (from-peer certificate validation
and sending of a certificate to a peer) seem unrelated to me.


In my case for some unknown reasons Squid don't send its own certificate to ICAP server, probably because of DONT_VERIFY_PEER flag, but not sure here. BIO_do_handshake fails with "no certificate returned" on ICAP server side despite the fact that squid certificate was specified via tls-cert and tls-key options of icap_service config directive and ICAP server was configured to request client certificate. It seems need to investigate Squid source code in more detail to find some answers, thanks for advices.
 
Alex.


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid reject self-signed SSL certificate of ICAP server

Amos Jeffries
Administrator
On 22/06/17 21:23, Nikita wrote:

>
> 2017-06-21 19:46 GMT+03:00 Alex Rousskov:
>
>     On 06/21/2017 10:15 AM, Nikita wrote:
>
>     > Is it possible to allow self-signed SSL certificates for ICAP server
>     > connections somehow?
>
>     Can you configure your OpenSSL library (or equivalent) to trust the ICAP
>     server certificate? Squid deletages most of the certificate validation
>     work to OpenSSL (or equivalent).
>
>
> Probably worth a try, but generally it is undesirable in my case to
> modify global OpenSSL config.
>
>
>     > There is tls-flags=DONT_VERIFY_PEER flag, but in this case Squid
>     > don't send it's own certificate to ICAP server
>
>     Why do you think tls-flags=DONT_VERIFY_PEER only works if Squid sends
>     its own certificate? The two actions (from-peer certificate validation
>     and sending of a certificate to a peer) seem unrelated to me.
>
>
> In my case for some unknown reasons Squid don't send its own certificate
> to ICAP server, probably because of DONT_VERIFY_PEER flag, but not sure
> here. BIO_do_handshake fails with "no certificate returned" on ICAP
> server side despite the fact that squid certificate was specified via
> tls-cert and tls-key options of icap_service config directive and ICAP
> server was configured to request client certificate. It seems need to
> investigate Squid source code in more detail to find some answers,
> thanks for advices.


What DONT_VERIFY_PEER does is prevent Squid checking any of the TLS
server details that ensure it is actually talking to the ICAP server you
configured it to use. As Alex said it does not directly prevent Squid
code from sending a client cert, but it *does* allow your Squid traffic
to be diverted to a completely irrelevant ICAP server and you will never
know.

It is quite possible the behaviour you are seeing is simply because
Squid is not even connected to the ICAP server you are trying to test with.

I hope this clarifies why I strongly recommend people erase the
DONT_VERIFY_PEER option from their configs, and get things going without
it. It is not a useful debugging tool, let along production setting.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Loading...