Re: [squid-users] Re: Re: Re: Can't get SSL proxy to work withMSExchange OWA

From: Henrik Nordstrom <[email protected]>
Date: Sat, 11 Nov 2006 00:50:29 +0100

tor 2006-11-09 klockan 14:07 +0100 skrev Bert Moorthaemer:

> Sorry about that, but for some strange reason your messages get attached as
> text files in my newsreader ... for an explanation see the original quoted
> text above ...

Probably due to the GnuPG signature.

> What I want Squid to do is authenticate the client using client certificates
> (That is how my current firewall works) which will be replaced by the one
> I'm building now and which utilizes Squid as the HTTP proxy
>
> My current Squid2.6STABLE4 setup is as follows:
>
> <snip>
> https_port webmail:443 \
> defaultsite=webmail.foo.com vhost \
> cert=/usr/local/etc/squid/certs/webmail.foo.com.pem \
> cafile=/etc/CA/ssl/public/vsign-class3.crt \
> # clientca=/etc/CA/ssl/public/ca.pem \
> # crlfile=/etc/CA/ssl/public/crl.pem \
> # sslflags=DELAYED_AUTH \
> capath=/etc/CA/ssl/public

DELAYED_AUTH does not work yet.. (as indicated in the comments).

clientca and crlfile should both work.. clientca will make Squid ask
the client for a certificate issued by those CAs, and to trust client
certificates issued by those CAs in addition to the CAs already trusted.

> What I need to know is why I can't get it to work e.g.: what should go into
> the clientca option?

The public certificate(s) of the CA you want to ask the client to
provide a certificate from.

> I have tried with the certificate of the CA (own CA self-signed), but for
> some strange reason I get "SSL unknown certificate error 12 (or 20)" and
> then a lot of SSL errors indicating that the client didn't supply a
> certificate ...

No idea. Worked for me last time I tried..

Regards
Henrik

Received on Fri Nov 10 2006 - 16:50:33 MST

This archive was generated by hypermail pre-2.1.9 : Fri Dec 01 2006 - 12:00:03 MST