Forgot to add. The actual cert is world readable. [admin@dsg214 ~]# ll /data/cacerts/../certs/a4a521af41327a4ab3ff1feb16a1a76888a0c2ea.crt -rw-r--r-- 1 admin root 1108 Feb 18 00:21 /data/cacerts/../certs/a4a521af41327a4ab3ff1feb16a1a76888a0c2ea.crt
On Tue, Feb 17, 2015 at 5:18 PM, Hector Chan <hectorc...@gmail.com> wrote: > Hi All, > > I have a question about using sslcapath in cache_peer. My > server.example.com has a self-signed cert, which I imported into my squid > box under /data/certs. The following cache_peer line actually worked. > However, if I remove the sslcafile, squid won't verify the self-signed cert. > > cache_peer server.example.com parent 443 0 \ > no-query originserver ssl \ > forceddomain=server.example.com \ > login=PASS \ > sslcert=/data/certs/certificate sslkey=/data/certs/key \ > ssloptions=NO_SSLv2,NO_SSLv3 \ > sslcafile=/data/cacerts/72af835f.0 \ > sslcapath=/data/cacerts > > [admin@dsg214 cacerts]# ls -l > total 0 > lrwxrwxrwx 1 admin root 53 Feb 18 00:22 35fa123a.0 -> > ../certs/a4a521af41327a4ab3ff1feb16a1a76888a0c2ea.crt > > Running openssl command from the squid box verified the certificate chain > ok with the -CApath option, which really puzzled me. > # openssl s_clients -CApath /data/certs -connect server.example.com:443 > > Any ideas? > > Thanks, > Hector > > >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
