I have an use-case were I have to accept self-signed certificate in Squid. The endpoints are Kubernetes clusters using self-signed certificates. The clusters will be recreated on demand with different self-signed certificate and therefore the need to accept them with a regexp, preferred way, or globally for test purpose.
The current Squid version is 6.0.0, compiled with the follow flags:
Squid Cache: Version 6.0.0-VCS
Service Name: squid
This binary uses OpenSSL 1.1.1 11 Sep 2018. For legal restrictions on distribution see https://www.openssl.org/source/license.html
configure options: '--prefix=/apps/squid' '--enable-icap-client' '--enable-ssl' '--with-openssl' '--enable-ssl-crtd' '--enable-security-cert-generators=file' '--enable-au
th' '--with-default-user=proxy'
In my tests I played with the ssl_bump configs and the tls_outgoing_options:
http_port 8080 ssl-bump cert=/apps/squid/etc/ssl_cert/CA_crt.pem key=/apps/squid/etc/ssl_cert/CA_key.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /apps/squid/libexec/security_file_certgen -s /apps/squid/var/logs/ssl_db -M 4MB
sslcrtd_children 5
ssl_bump bump all
sslproxy_cert_error allow all
tls_outgoing_options options=ALL flags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN
But the best result I can achieve is _curl: (51) SSL: no alternative certificate subject name matches target host name
Or without ssl_bump
http_port 8080 ssl-bump cert=/apps/squid/etc/ssl_cert/CA_crt.pem key=/apps/squid/etc/ssl_cert/CA_key.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /apps/squid/libexec/security_file_certgen -s /apps/squid/var/logs/ssl_db -M 4MB
sslcrtd_children 5
sslproxy_cert_error allow all
tls_outgoing_options options=ALL flags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN
I Get curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to
Today I need K8S endpoints but tomorrow can be any other endpoints, therefore the need to make squid create the connection tricking the CN may be.
