On 23/05/2012 10:08 a.m., Ruiyuan Jiang wrote:
> Hi, all
>
> I am trying to setup MS webmail over rpc Exchange server access through squid (squid 3.1.19, SPARC, Solaris 10) from internet. Here is my pilot squid configuration (squid.conf):
>
> https_port 156.146.2.196:443 accel cert=/opt/squid-3.1.19/ssl.crt/webmail_juicycouture_com.crt key=/opt/squid-3.1.19/ssl.crt/webmail_juicycouture_com.key cafile=/opt/apache2.2.21/conf/ssl.crt/DigiCertCA.crt defaultsite=webmail.juicycouture.com
>
> cache_peer 10.150.2.15 parent 443 0 no-query originserver login=PASS ssl sslcert=/opt/squid-3.1.19/ssl.crt/webmail_katespade_com.crt sslkey=/opt/squid-3.1.19/ssl.crt/webmail_katespade_com.key sslcafile=/opt/apache2.2.21/conf/ssl.crt/DigiCertCA.crt name=exchangeServer
<snip>
> 2012/05/22 17:44:15| fwdNegotiateSSL: Error negotiating SSL connection on FD 13: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0)
> 2012/05/22 17:44:15| TCP connection to 10.150.2.15/443 failed
> 2012/05/22 17:44:15| fwdNegotiateSSL: Error negotiating SSL connection on FD 13: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0)
>
> From the packet capture, the internal Exchange server reset the connection from the squid proxy server by either "Alert (Level: Fatal, Description: Unknown CA)" when I used above official certificates or "Alert (Level: Fatal, Description: Certificate Unknown) when I used internal CA signed certificate after initial https handshaking between squid and exchange server through https connection. Can anyone tell me how do I correctly configure cache_peer statement to make it work?
In case you did not figure this out already... Squid is unable to
validate the exchange server certificate using either the openssl
libraries trusted CA certificates or the sslcafile= parameter
certificate given to verify it with.
* Check that your openSSL library trusted CA are up to date on the Squid
machine - this is the most common cause of validation errors.
* Check that your /opt/apache2.2.21/conf/ssl.crt/DigiCertCA.crt file on
the Squid machine contains the CA used to sign the exchange servers
certificate.
Amos
Received on Sun May 27 2012 - 10:25:57 MDT
This archive was generated by hypermail 2.2.0 : Sun May 27 2012 - 12:00:04 MDT