Can squid (squid-2.5.STABLE1-2 running under RH9 Linux) be configured to handled *chained* SSL certificates (e.g. from FreeSSL.com) for SSL to HTTP gatewaying? Before I purchase chained cert (much cheaper than usual certs), I'd like to hear from anyone who has direct experience.
Squid doesn't support chained SSL certificates by default. However, you could apply the attached patch which adds that capability. It's for squid-2.5.STABLE4, but it probably fits onto older releases as well.
With chained certs, you get the usual web certificate *plus* a second certificate (e.g. chain.crt) to complete the chain of trust to a root CA.
With OpenSSL as the SSL layer the order of chained certificates in the .crt or .pem file is important. They have to be in reverse chaining/signing order, that is, your domain certificate first, then the intermediate certificates up to the root certificate.
Thank you in advance for any help,
Hope it works for you.
Uwe -- Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers [EMAIL PROTECTED] | http://www.escapebox.net
--- src/ssl_support.c Sat Feb 8 14:53:15 2003
+++ src/ssl_support.c Thu Sep 18 12:52:06 2003
@@ -327,7 +327,7 @@
}
}
debug(83, 1) ("Using certificate in %s\n", certfile);
- if (!SSL_CTX_use_certificate_file(sslContext, certfile, SSL_FILETYPE_PEM)) {
+ if (!SSL_CTX_use_certificate_chain_file(sslContext, certfile)) {
ssl_error = ERR_get_error();
fatalf("Failed to acquire SSL certificate: %s\n",
ERR_error_string(ssl_error, NULL));
