> Squid doesn't support chained SSL certificates by default. However, you
> could apply the attached patch which adds that capability. It's for
> squid-2.5.STABLE4, but it probably fits onto older releases as well.
Thanks Uwe and Henrik and Jan. This was the missing piece of the
puzzle (i.e. SSL_CTX_use_certificate_chain_file). It turns out that
the current squid-2.5.STABLE1-2 package on RH9 Linux has some SSL
support backported into it, but not SSL_CTX_use_certificate_chain_file:
# rpm -ql openssl | grep ^/lib
/lib/libcrypto.so.0.9.7a
/lib/libssl.so.0.9.7a
# ldd /usr/sbin/squid | egrep lib"crypto|ssl"
libssl.so.4 => /lib/libssl.so.4 (0x40061000)
libcrypto.so.4 => /lib/libcrypto.so.4 (0x40096000)
# strings /usr/sbin/squid | egrep "enable-ssl|SSL_CTX_use"
SSL_CTX_use_PrivateKey_file
SSL_CTX_use_certificate_file
--host=i386-redhat-linux --build=i386-redhat-linux
--target=i386-redhat-linux-gnu --program-prefix= --prefix=/usr
--exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc
--datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib
--libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/usr/com
--mandir=/usr/share/man --infodir=/usr/share/info --exec_prefix=/usr
--bindir=/usr/sbin --libexecdir=/usr/lib/squid --localstatedir=/var
--sysconfdir=/etc/squid --enable-poll --enable-snmp
--enable-removal-policies=heap,lru --enable-storeio=aufs,coss,diskd,ufs
--enable-ssl --with-openssl=/usr/kerberos --enable-delay-pools
--enable-linux-netfilter --with-pthreads
--enable-basic-auth-helpers=LDAP,NCSA,PAM,SMB,SASL,MSNT
--enable-ntlm-auth-helpers=SMB,winbind
--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group,winbind_group
Hopefully wildcard chained certs will work as well with your patch ...
-- Paul
Received on Wed Dec 17 2003 - 07:02:11 MST
This archive was generated by hypermail pre-2.1.9 : Thu Jan 01 2004 - 12:00:15 MST