[squid-users] HTTPS reverse proxy: SSL Certficate verification failed

Thu, 30 Mar 2017 08:02:28 -0700 

Hello,

I want to setup Squid as a HTTPS reverse proxy for several of our websites,
but I have a certificate verification problem on Squid access.log.
Our upstream webservers are behind a VPN tunnel and only the Squid server
can access it. (*We actually use Nginx for the same purpose but want to
switch to Squid)*

                              HTTPS                           HTTPS
[client browser] -----------------------> [Squid]
--------------------------> [upstream server]


I run squid 3.4.8-6+deb8u4 recompiled with --enable-ssl
--with-open-ssl="/etc/ssl/openssl.cnf" on Debian Jessie.

The certificate presented to the client is the same as on the upstream
server, a wildcard one signed by GeoTrust (with intermediate CA). It
appears correctly in the browser.
The problem comes from squid verification of upstream certificate.

My basic squid.conf looks like

https_port <squid IP>:443 accel defaultsite=upstream1.domain.tld vhost
cert=<path to SSL cert>

cache_peer <upstream IP> parent 443 0 no-query originserver name=upstream1
ssl

acl upstream1 dstdomain upstream1.domain.tld
cache_peer_access upstream1 allow upstream1

And logs are full of

fwdNegotiateSSL: Error negotiating SSL connection on FD 14:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (1/-1/0)
TCP connection to <upstream IP> failed


If I verify with openssl the upstream server, I got an error but if I give
it the intermediary CA certificate (to be precise I give it the full chain
concatenated in one file), it's OK.

$ openssl s_client -showcerts -connect upstream.domain.tld:443 -CAfile
<path to full cert chain>.pem
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA
verify return:1
depth=0 CN = *.fraudbuster.mobi
verify return:1

...

    Timeout   : 300 (sec)
    Verify return code: 0 (ok)


In squid, I tried several options for cache_peer (sslcapath and
sslcafile...) but I keep having this error. Of course the
sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN options solve the problem, but
I don't want to use this solution (my certificate is legitimate and want to
validate it normally).

What am I doing wrong? and what should I do to make squid work in this
setup?

Thanks.

Eric.

_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Reply via email to