> Squid doesn't support chained SSL certificates by default. However, you > could apply the attached patch which adds that capability. It's for > squid-2.5.STABLE4, but it probably fits onto older releases as well.
Thanks Uwe and Henrik and Jan. This was the missing piece of the puzzle (i.e. SSL_CTX_use_certificate_chain_file). It turns out that the current squid-2.5.STABLE1-2 package on RH9 Linux has some SSL support backported into it, but not SSL_CTX_use_certificate_chain_file: # rpm -ql openssl | grep ^/lib /lib/libcrypto.so.0.9.7a /lib/libssl.so.0.9.7a # ldd /usr/sbin/squid | egrep lib"crypto|ssl" libssl.so.4 => /lib/libssl.so.4 (0x40061000) libcrypto.so.4 => /lib/libcrypto.so.4 (0x40096000) # strings /usr/sbin/squid | egrep "enable-ssl|SSL_CTX_use" SSL_CTX_use_PrivateKey_file SSL_CTX_use_certificate_file --host=i386-redhat-linux --build=i386-redhat-linux --target=i386-redhat-linux-gnu --program-prefix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/usr/com --mandir=/usr/share/man --infodir=/usr/share/info --exec_prefix=/usr --bindir=/usr/sbin --libexecdir=/usr/lib/squid --localstatedir=/var --sysconfdir=/etc/squid --enable-poll --enable-snmp --enable-removal-policies=heap,lru --enable-storeio=aufs,coss,diskd,ufs --enable-ssl --with-openssl=/usr/kerberos --enable-delay-pools --enable-linux-netfilter --with-pthreads --enable-basic-auth-helpers=LDAP,NCSA,PAM,SMB,SASL,MSNT --enable-ntlm-auth-helpers=SMB,winbind --enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group,winbind_group Hopefully wildcard chained certs will work as well with your patch ... -- Paul
