sending certificate chain from squid reverse proxy

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

sending certificate chain from squid reverse proxy

Alan Dawson
Hi,

Is it possible to send a certificate chain from squid when it's used in
reverse proxy (accel) mode and compiled with gnutls ?  

I am running Debian Buster, and the packaged squid https://packages.debian.org/buster/squid is 4.6-1

squid -v reports that it is compiled  --with-gnutls

I have the following line (for squid proxy in front of Microsoft Exchange 2016).

https_port 443 accel tls-cert=fullchain.crt tls-key=privkey.pem defaultsite=webmail.example.com vhost  connection-auth=off tls-dh=dh2048.pem

Where fullchain.crt is a concatenation of the public certificate and an
intermediate CA.

From the http://www.squid-cache.org/Versions/v4/cfgman/http_port.html
page it says regarding the tls-cert option

tls-cert= Path to file containing an X.509 certificate (PEM format)
                        to be used in the TLS handshake ServerHello.
               
                        ...

                        When OpenSSL is used this file may also contain a
                        chain of intermediate CA certificates to send in the
                        TLS handshake.

                        When GnuTLS is used this option (and any paired
                        tls-key= option) may be repeated to load multiple
                        certificates for different domains.

is it possible to send an intermediate certificate when build with GnuTLS, and if so, what is the options ?


Thanks in advance,

Kate Dawson

--
"The introduction of a coordinate system to geometry is an act of violence"

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: sending certificate chain from squid reverse proxy

Amos Jeffries
Administrator
On 17/07/19 12:34 am, Kate Dawson wrote:
> Hi,
>
> Is it possible to send a certificate chain from squid when it's used in
> reverse proxy (accel) mode and compiled with gnutls ?  
>

That has not been implemented yet. Sorry.

>
> is it possible to send an intermediate certificate when build with GnuTLS, and if so, what is the options ?
>

The intention is for the chain loading (when supported) to be configured
with tls-cert= the same as one would do for OpenSSL now.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: sending certificate chain from squid reverse proxy

Martin Hoffmann
Any ETA on this?

This would really be a nice feature, since on debian/ubuntu squid comes with
GnuTLS support, while OpenSSL Support means recompiling from source. So for
me, it seems, intermediate certificates is the last thing missing to be able
to use squid/GnuTLS instead of squid/OpenSSL.



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: sending certificate chain from squid reverse proxy

Amos Jeffries
Administrator
On 3/08/19 6:08 am, Martin Hoffmann wrote:
> Any ETA on this?
>

Working on it, but no definite ETA sorry.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users