Re: Re: Re: [squid-users] user_cert in Squid 3.0 PRE3 from laurent.derrien@dont-contact.us on 2003-08-28 (squid-users)

From: <laurent.derrien@dont-contact.us>
Date: Fri, 29 Aug 2003 16:50:26 +1100

I've just found my mistake in squid.conf for client certificate
authentication.
Here is the good parameter :
https_port 443 defaultsite=192.168.x.x protocol=http \
cert=rproxy.crt key=rproxy.key clientca=myca.crt

Not cafile=myca.crt !
It's only for additional CA certificates.

Regards,
Laurent

laurent.derrien@gouv.nc
29/08/2003 09:51

        Pour : hno@squid-cache.org
        cc : squid-users@squid-cache.org
        Objet : Re: Re: [squid-users] user_cert in Squid 3.0 PRE3

Thank you for this information.
Please could you tell me how to force use of client certificates ?
I want squid to reject connections without client certificates
authenticated by my CA certificate.

Regards,
Laurent Derrien

Henrik Nordstrom <hno@squid-cache.org>
27/08/2003 19:07

        Pour : laurent.derrien@gouv.nc, squid-users@squid-cache.org
        cc :
        Objet : Re: [squid-users] user_cert in Squid 3.0 PRE3

On Wednesday 27 August 2003 05.12, laurent.derrien@gouv.nc wrote:

> The configuration is good without client certificate ACL.
> But connections always fail when I activate the user_cert ACL. I
> guess I don't use the right syntax.
> The help in squid.conf is not detailed enough for me :
> # acl aclname user_cert attribute values...
> # # match against attributes in a user SSL certificate
> # # attribute is one of DN/C/O/CN/L/ST
> Could you help me with examples ?
>
> Here are the main lines of my squid.conf :
>
> https_port 443 defaultsite=192.168.x.x protocol=http
> cert=rproxy.crt key=rproxy.key cafile=myca.crt
> sslflags=DELAYED_AUTH
> cache_peer 192.168.x.x parent 80 0 originserver
> acl Cert_OK user_cert CN="Laurent Derrien"
> http_access allow Cert_OK
> http_access deny all

Delayed/acl triggered SSL certificate negotiations is not yet
implemented. For now the use of client certificates is all or none.

Regards
Henrik

-- 
Donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org
If you need commercial Squid support or cost effective Squid or
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, info@marasystems.com

Received on Thu Aug 28 2003 - 23:49:43 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:19:17 MST