Re: [squid-users] NTLM passthrough over https breaks during NTLM handshake

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 19 Sep 2009 02:12:33 +1200

Benjamin Inderm�hle wrote:
> Hello
>
> I am trying to setup a squid between my exchange server and the outside
> world.
> I am having troubles getting ntlm to work.
>
> [internet]---<https>---[squid]---<https>---[exchange]
>
> Squid's job would be to terminate the ssl connection and start a new one
> the the ntlm server and pass the ntlm authorization through to exchange.
>
> The ssl connections squid -> exchange is getting terminated with
> following error in squid
>
> 2009/09/18 09:05:38| fwdNegotiateSSL: Error negotiating SSL connection
> on FD 18: error:00000000:lib(0):func(0):reason(0) (5/0/0)
> 2009/09/18 09:05:38| TCP connection to xchg07-dev-be.dev.domain.com
> (10.1.3.20:443) failed
>
> If I switch the connection Squid <-> exchange to http the connection
> does not break. and ntlm auth works

Your SSL certificate may be being rejected by the Exchange server then.

>
> I have tried all kinds of parameters in the configuration
> With or without client certificate, nothing helped the connection
> terminates every time.
> I have also tried different version of Squid namely:
>
> Squid Cache: Version 2.7 STABLE6
> Squid Cache: Version 2.6 STABLE20
>
> I am running Centos5 on the Server
>
>
> I took a closer look at the ntlm handshake and made a tcpdump on squid
> to see how and when the connection is terminated
>
> >>>>>>>>>>>>> Page Request
> Please authenticate with NTLM <<<<<<
> >>>>>>>>>>>>> NTLM negotiate
> NTLM challenge <<<<<<<<<<<<<<<<<<<
>
> TCP Connection should not be terminated from here on
> Squid resends Client Hello package
> Exchange terminates connection.
> Connection is reopened.
>
> >>>>>>>>>>>> NTLM AUthentication
> RESET <<<<<<<<<<<<<<<<<<<<<<
>
>
>
> This is my squid config
> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>
> extension_methods RPC_IN_DATA RPC_OUT_DATA
> https_port 10.1.16.33:443 cert=/etc/squid/ssl/webmail-dev.crt
> key=/etc/squid/ssl/webmail-dev.key cafile=/etc/squid/ssl/webmail-dev.crt
> defaultsite=webmail-dev.domain.com
> cache_peer 10.1.3.20 parent 443 0 no-query originserver login=PASS ssl
> sslcert=/etc/squid/ssl/sextans-be.cert
> sslkey=/etc/squid/ssl/sextans-be.key
> sslcafile=/etc/squid/ssl/someca-cax509.cert
> # access control
> acl all src 0.0.0.0/0.0.0.0
>
>
> # basic URL based access restriction for DEV Exchange 2007
> acl url_allow url_regex -i ^https://webmail-dev.domain.com/
>
> http_access allow url_allow
> http_access deny all
>
> # extra access log file
> access_log /var/log/squid/access.log
> <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
>
> any help would be appreciated.
>
> Best regards
> Benjamin Inderm�hle

http://wiki.squid-cache.org/ConfigExamples/Reverse/ExchangeRpc

  * You are missing a never_direct entry.
  * Your certificate settings differ from those known to work with Exchange.
  * you are using a full URL regex to match a simple domain name. Use
dstdomain instead.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19
   Current Beta Squid 3.1.0.13
Received on Fri Sep 18 2009 - 14:12:40 MDT

This archive was generated by hypermail 2.2.0 : Fri Sep 18 2009 - 12:00:03 MDT