Paul wrote:
> Can squid (squid-2.5.STABLE1-2 running under RH9 Linux) be
> configured to handled *chained* SSL certificates (e.g. from
> FreeSSL.com) for SSL to HTTP gatewaying? Before I purchase
> chained cert (much cheaper than usual certs), I'd like to hear
> from anyone who has direct experience.
Squid doesn't support chained SSL certificates by default. However, you
could apply the attached patch which adds that capability. It's for
squid-2.5.STABLE4, but it probably fits onto older releases as well.
> With chained certs, you get the usual web certificate *plus* a second
> certificate (e.g. chain.crt) to complete the chain of trust to a root CA.
With OpenSSL as the SSL layer the order of chained certificates in the
.crt or .pem file is important. They have to be in reverse
chaining/signing order, that is, your domain certificate first, then the
intermediate certificates up to the root certificate.
> Thank you in advance for any help,
Hope it works for you.
Uwe
-- Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers gemini@geminix.org | http://www.escapebox.net
--- src/ssl_support.c Sat Feb 8 14:53:15 2003
+++ src/ssl_support.c Thu Sep 18 12:52:06 2003
@@ -327,7 +327,7 @@
}
}
debug(83, 1) ("Using certificate in %s\n", certfile);
- if (!SSL_CTX_use_certificate_file(sslContext, certfile, SSL_FILETYPE_PEM)) {
+ if (!SSL_CTX_use_certificate_chain_file(sslContext, certfile)) {
ssl_error = ERR_get_error();
fatalf("Failed to acquire SSL certificate: %s\n",
ERR_error_string(ssl_error, NULL));
Received on Wed Dec 17 2003 - 02:23:52 MST
This archive was generated by hypermail pre-2.1.9 : Thu Jan 01 2004 - 12:00:14 MST