2017-06-21 19:46 GMT+03:00 Alex Rousskov <rouss...@measurement-factory.com>:
> On 06/21/2017 10:15 AM, Nikita wrote: > > > Is it possible to allow self-signed SSL certificates for ICAP server > > connections somehow? > > Can you configure your OpenSSL library (or equivalent) to trust the ICAP > server certificate? Squid deletages most of the certificate validation > work to OpenSSL (or equivalent). > > Probably worth a try, but generally it is undesirable in my case to modify global OpenSSL config. > > There is tls-flags=DONT_VERIFY_PEER flag, but in this case Squid > > don't send it's own certificate to ICAP server > > Why do you think tls-flags=DONT_VERIFY_PEER only works if Squid sends > its own certificate? The two actions (from-peer certificate validation > and sending of a certificate to a peer) seem unrelated to me. > > In my case for some unknown reasons Squid don't send its own certificate to ICAP server, probably because of DONT_VERIFY_PEER flag, but not sure here. BIO_do_handshake fails with "no certificate returned" on ICAP server side despite the fact that squid certificate was specified via tls-cert and tls-key options of icap_service config directive and ICAP server was configured to request client certificate. It seems need to investigate Squid source code in more detail to find some answers, thanks for advices. > Alex. >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users