2017-06-21 19:46 GMT+03:00 Alex Rousskov <rouss...@measurement-factory.com>:

> On 06/21/2017 10:15 AM, Nikita wrote:
>
> > Is it possible to allow self-signed SSL certificates for ICAP server
> > connections somehow?
>
> Can you configure your OpenSSL library (or equivalent) to trust the ICAP
> server certificate? Squid deletages most of the certificate validation
> work to OpenSSL (or equivalent).
>
>
Probably worth a try, but generally it is undesirable in my case to modify
global OpenSSL config.


> > There is tls-flags=DONT_VERIFY_PEER flag, but in this case Squid
> > don't send it's own certificate to ICAP server
>
> Why do you think tls-flags=DONT_VERIFY_PEER only works if Squid sends
> its own certificate? The two actions (from-peer certificate validation
> and sending of a certificate to a peer) seem unrelated to me.
>
>
In my case for some unknown reasons Squid don't send its own certificate to
ICAP server, probably because of DONT_VERIFY_PEER flag, but not sure here.
BIO_do_handshake fails with "no certificate returned" on ICAP server side
despite the fact that squid certificate was specified via tls-cert and
tls-key options of icap_service config directive and ICAP server was
configured to request client certificate. It seems need to investigate
Squid source code in more detail to find some answers, thanks for advices.


> Alex.
>
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Reply via email to