cache-peer and tls

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

cache-peer and tls

Eugene M. Zheganin
Hello,


I'm using squid 4.6 and I need to TLS-encrypt the session to the parent
proxy. I have in config:


cache_peer proxy.foo.bar parent 3129 3130 tls
tls-cafile=/usr/local/etc/squid/certs/le.pem
sslcert=/usr/local/etc/letsencrypt/live/vpn.enazadev.ru/cert.pem
sslkey=/usr/local/etc/letsencrypt/live/vpn.enazadev.ru/privkey.pem
sslflags=DONT_VERIFY_DOMAIN,DONT_VERIFY_PEER


But no matter what I'm doing, squid keeps telling in logs that he
doesn't like the peer certificate:


2019/08/03 18:42:24 kid1| ERROR: negotiating TLS on FD 23:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate
verify failed (1/-1/0)
2019/08/03 18:42:24 kid1| temporary disabling (Service Unavailable)
digest from proxy.foo.bar

and then he's going directly bypassing the peer. :/


Is there any way to tell him that I don't care ?

I've also tried to actually tell him about the CA cert with
tls-cafile=/usr/local/etc/squid/certs/le.pem above, this doesn't work
either.


Thanks.

Eugene.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: cache-peer and tls

Amos Jeffries
Administrator
On 4/08/19 2:11 am, Eugene M. Zheganin wrote:

> Hello,
>
>
> I'm using squid 4.6 and I need to TLS-encrypt the session to the parent
> proxy. I have in config:
>
>
> cache_peer proxy.foo.bar parent 3129 3130 tls
> tls-cafile=/usr/local/etc/squid/certs/le.pem
> sslcert=/usr/local/etc/letsencrypt/live/vpn.enazadev.ru/cert.pem
> sslkey=/usr/local/etc/letsencrypt/live/vpn.enazadev.ru/privkey.pem
> sslflags=DONT_VERIFY_DOMAIN,DONT_VERIFY_PEER
>

Please start with "squid -k parse" and update those to the Squid-4 options.

Also, any errors/warnings mentioned about the PEM files contents need to
be fixed.


>
> But no matter what I'm doing, squid keeps telling in logs that he
> doesn't like the peer certificate:
>
>
> 2019/08/03 18:42:24 kid1| ERROR: negotiating TLS on FD 23:
> error:14090086:SSL routines:ssl3_get_server_certificate:certificate
> verify failed (1/-1/0)
> 2019/08/03 18:42:24 kid1| temporary disabling (Service Unavailable)
> digest from proxy.foo.bar
>
> and then he's going directly bypassing the peer. :/
>
>
> Is there any way to tell him that I don't care ?
>

You really should care. There is no point in TLS to a peer if you are
going to ignore whether the right peer is even being connected to.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users