RE: [squid-users] Trying too use user_cert acl with SQUID 2.5 + S SL patch

From: Fauquet, Xavier <xavier.fauquet@dont-contact.us>
Date: Sat, 4 Sep 2004 15:49:48 +0200

>
> > Well, I tried the following :
> > acl USER-ok CN surname.name
> > acl USER-ko CN ko1.ko1
> > http_access allow USER-ok
> > http_access deny USER-ko
> >
> > Both user can still browse.
> > Anything i forgot ?
>
>
> The acl statements is not using correct syntax. Should be
>
> acl USER-ok user_cert CN surname.name
> acl USER-ko user_cert CN ko1.ko1
>
> but I assume this is just a typo in your message. Please use
> "squid -k
> parse" to verify the syntax of your configuration.

It was just a typo in my message.

>
> The example above should work in principle, but does not
> really deny other
> users access. All this says is that the user surname.name is
> allowed and
> the user ko1.ko1 is not. Other users (or users who selected
> not to present
> a certificate) is not matched by these two rules.

well, typically, the user ko1 can access the site. So, I think the rule is
not taken in account.

>
> Make sure there is no other http_access rules before this
> allowing access,
> and that you do not allow access without a certificate.
>
> Please try
>
> http_access allow USER-ok
> http_access deny USER-ko
> http_access deny all

I tried it and now everybody is denied.

HELP !!

>
>
> It may also be worth mentioning that this feature of the SSL
> update patch
> is not very well tested as the customer who ordered this
> feature backed
> out just before delivery but MARA Systems selected to publish these
> additions to the SSL support regardless. I do remember it
> passing at least
> the basic tests and also have some memory of someone else
> actually using
> this successfully.
>
> Regards
> Henrik
>
Received on Sat Sep 04 2004 - 07:50:25 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Oct 01 2004 - 12:00:02 MDT