RE: [squid-users] Squid3 and certificates in a cluster

Great advice, thank you!

> -----Original Message-----
> From: Henrik Nordstrom [mailto:henrik@henriknordstrom.net]
> Sent: Monday, April 10, 2006 2:18 AM
> To: Discussion Lists
> Cc: squid-users@squid-cache.org
> Subject: Re: [squid-users] Squid3 and certificates in a cluster
>
>
> sön 2006-04-09 klockan 21:10 -0700 skrev Discussion Lists:
> > Suppose I have two squid3 machines that are clustered, and
> I want them
> > both to offer reverse SSL proxy (depending on whichever is
> active of
> > course). Assuming that all is set up correctly, couldn't I
> just keep
> > identical copies of the certificate and key on each machine
> and expect
> > Squid3 and the Internet to not know the difference?
>
> Yes.
>
> In fact this is even a MUST for clustered SSL servers as
> otherwise the clients will get quite confused if they get
> different certificates from the same server..
>
> Please note that it is also important you set the sslcontext
> differently on the members of the cluster (or alternatively
> disable the SSL session reuse entirely if you have an RSA
> accelerator chip or lots of spare CPU time..). If not there
> is a slight risk of confusion in SSL session reuse causing
> random client communication failures.
>
> Regards
> Henrik
>
Received on Mon Apr 10 2006 - 10:18:53 MDT