Re: [squid-users] squid 4.0.3 - sslflags not working?

Fri, 08 Jan 2016 13:07:35 -0800 

Hi,

testet the latest Snapshot and the 4.0.4

Still the same.

Regards,

Florian

-----Ursprüngliche Nachricht-----
Von: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Im Auftrag 
von Amos Jeffries
Gesendet: Montag, 4. Januar 2016 12:07
An: squid-users@lists.squid-cache.org
Betreff: Re: [squid-users] squid 4.0.3 - sslflags not working?

On 4/01/2016 8:58 a.m., Florian Stamer wrote:
> Hi I,m currently testing Squid 4.0.3 in Reverse Proxy Mode.
>
> It seems that the sslflags directives "DONT_VERIFY_PEER" and 
> "DONT_VERIFY_DOMAIN" do not work.
>

Should be. They are planned for removal, but nothing towards that has ot 
happened yet.

> Here is the relevant config:
>
> https_port 443 accel cert=/etc/squid/ssl/wildcard.cer
> key=/etc/squid/ssl/wildcard.key defaultsite=externeURL
> cipher=HIGH:!aNULL options=SINGLE_DH_USE,NO_SSLv3
> dhparams=/etc/squid/ssl/dhparams.pem
> cache_peer localserver parent 443 0 proxy-only no-query no-digest
> front-end-https=on originserver login=PASS ssl ssloptions=NO_SSLv3
> sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN name=ExchangeCAS
>
> It perfectly workes in my production System based on Ubuntu LTS 14.04.3, 
> Squid 3.3.8.
>
> Everytime i try to access the site i get an error:
>
> The system returned:
> (71) Protocol error (TLS code: SQUID_X509_V_ERR_DOMAIN_MISMATCH)
> Certificate does not match domainname
>
> I'm using a SAN Certificate...
>
> I can workaround this using the directive "sslproxy_cert_error allow all". 
> But that is not what i want...
>
> Are there any issues known?
> Is something wrong with my config?

Nothing obvious.

It might be related to one of the issues fixed since 4.0.3 was packaged.
Are you able to try the latest 4.x snapshot ?

Amos
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Reply via email to