[squid-users] ssl reverse proxy self signed cert

From: Peter Meier <peter.meier@dont-contact.us>
Date: Fri, 09 Mar 2007 15:59:03 +0100

Hi

maybe i understood something wrong but I'm trying to do the following
setup with squid 2.6.STABLE7 and couldn't find anything related to my
errors and problems:

wished setup:
client --ssl (cacert signed)--> squid (reverse) --ssl (selfsigned)--> apache

however i always get the squid error page with:

"(71) protocol error"

and that the connection to the apache couldn't be established.

while accessing this setup with the browser. In the squid cache.log i
get this error several times:

2007/03/09 13:39:43| SSL unknown certificate error 18 in
/C=CH/ST=Some-State/L=World/O=foo/OU=bar/CN=some.host.com/emailAddress=root@some.host.com
2007/03/09 13:39:43| fwdNegotiateSSL: Error negotiating SSL connection
on FD 15: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0)

however if I use on the apache the cacert signed cert as I have it on
the reverse squid host it works perfectly and i can access the sites
through the squid.
so this setup works:
client --ssl (cacert signed)--> squid (reverse) --ssl (cacert signed
(same cert))--> apache

(except this error in cache.log:
2007/03/09 13:41:53| fwdNegotiateSSL: Error negotiating SSL connection
on FD 16: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol (1/-1/0)
)

to create the self signed cert i used:
openssl req -new -newkey rsa:1024 -nodes -x509 -keyout foo_key.pem
-out foo.pem -days 3600
and accessing this directly is no problem except the normal warning
due to the self signed cert. so https works with that cert on apache.

well for me it is clear that squid cannot verify the cert as it is
self signed. however i'd like to tell squid that it should accept this
cert, not try to verify it or whatever to be possible to use it. But I
couldn't find such an option for the https_port option.

I also tried to make an own CA and then use a cert signed by this and
add the own CA cert to the https_port with the cafile=/path/ option.
However this changes only the unknown ssl error from 18 to 20.

For me also the following setup would work:
client --ssl (cacert signed)--> squid (reverse) ---http--> apache
by using the protocol=http option, which is also working.

However this makes it impossible to have different sites served by
https or http as well it makes the site that should be https-only also
accessible by http-only. If i could change this behaviour with any
other options/tricks this would be nice.

As I mentioned at the beginning it might be that I understood reverse,
https and certs wrong. However in my opinion the first wished setup
should work and I only have that problem of self signed certs. Is it
possible to avoid this problem, and use a different (self signed) cert
on the apache?

thanks for your answers and greets pete

ps: please cc me, as i'm currently not on the list, so I get anyway
the mails till I subscribed. thanks.
Received on Fri Mar 09 2007 - 07:59:05 MST

This archive was generated by hypermail pre-2.1.9 : Sat Mar 31 2007 - 13:00:02 MDT