--On Dienstag, 16. Dezember 2003 15:30 -0800 Paul <[EMAIL PROTECTED]> wrote:
Can squid (squid-2.5.STABLE1-2 running under RH9 Linux) be configured to handled *chained* SSL certificates (e.g. from FreeSSL.com) for SSL to HTTP gatewaying? Before I purchase chained cert (much cheaper than usual certs), I'd like to hear from anyone who has direct experience.
Yes, this works with the patch from this place: <http://devel.squid-cache.org/old_projects.html#ssl>
We are running 2.5STABLE2 in productive environment with this (using Comodo Certs).
You not even have to use the new squid.conf-options then, simply putting the certs into one file did the job...
regards, Jan
With chained certs, you get the usual web certificate *plus* a second certificate (e.g. chain.crt) to complete the chain of trust to a root CA.
The only real documentation I've found on using squid to gateway SSL to http is in the squid.conf file appended below. Not *sure* from the documentation if it's possible to fit a *chained* cert into the https_port tag.
Thank you in advance for any help,
-- Paul
# TAG: https_port # Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...] ... # You may specify multiple socket addresses on multiple lines, # each with their own SSL certificate and/or options. ... # cert= Path to SSL certificate (PEM format) # # key= Path to SSL private key file (PEM format) # if not specified, the certificate file is # assumed to be a combined certificate and # key file # # version= The version of SSL/TLS supported # 1 automatic (default) # 2 SSLv2 only # 3 SSLv3 only # 4 TLSv1 only # # cipher= Colon separated list of supported ciphers # # options= Varions SSL engine options. The most important # being: # NO_SSLv2 Disallow the use of SSLv2 # NO_SSLv3 Disallow the use of SSLv3 # NO_TLSv1 Disallow the use of TLSv1 # See src/ssl_support.c or OpenSSL documentation # for a more complete list.
