Yuri and Amos, thanks for the replies! There is an openssl command that tells where OpenSSL will search for CA certs.
$ openssl version -d OPENSSLDIR: "/etc/pki/tls" On Sat, Feb 7, 2015 at 5:19 PM, Amos Jeffries <squ...@treenet.co.nz> wrote: > On 8/02/2015 9:28 a.m., Hector Chan wrote: > > Hi all, > > > > I have a question about the CA file for SSL certificates. If I don't > > specify anything for CA, what is default CA certs that squid will use for > > the cache_peer ? > > The ones OpenSSL is configured to use. > > > > > Here is a snippet of my config file. > > > > https_port 127.0.0.1:4443 accel \ > > cert=/etc/certs/certificate \ > > key=/etc/certs/key \ > > options=NO_SSLv2,NO_SSLv3 > > ... > > cache_peer xyz.example.com parent 443 0 \ > > no-query originserver \ > > ssl forceddomain= xyz.example.com \ > > NP: be careful about the whitespace there after forcedomain= . > It will force the domain to be *unset* if the parameter is whitespace. > > > login=PASS \ > > sslcert=/etc/certs/certificate \ > > sslkey=/etc/certs/key \ > > ssloptions=NO_SSLv2,NO_SSLv3 > > > In this configuration the peer certificate will be signed by some CA > (maybe you dong self-signing). > You need to add the public key for that CA to the cache_peer like so: > > cache_peer ... \ > sslcafile=/path/to/xyz.example.com/publicCAkey.pem > > > Amos > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
