[squid-users] Re: Re: Re: Can't get SSL proxy to work withMSExchange OWA

Hi Henrik,

>>>> Solved! I needed to point the cafile option to the the new VeriSign
>>>> cert ..

>>>Or add the certificate chain to the certificate, starting with the
>>>server certificate and followed by the issuing certificates down to the
>>>level trusted by browsers. What most people do.

>> Yes I tried that, but it didn't make any difference. The intermidiate
>> certificate was still marked as invalid.

>Sorry, my memory is a little dim without any quoted context on the
>discussion. What did you try? And why?

Sorry about that, but for some strange reason your messages get attached as
text files in my newsreader ... for an explanation see the original quoted
text above ...

>> Concerning my other question (about
>> client authentication using certificates) Is there anything I need to
>> patch
>> to make this work? If there isn't ... what do I need to do to make this
>> work?

>If the backend server is dependent on authentication using client
>certificates then it's SSL port need to be published on the Internet
>with no reverse proxy inbetween.

What I want Squid to do is authenticate the client using client certificates
(That is how my current firewall works) which will be replaced by the one
I'm building now and which utilizes Squid as the HTTP proxy

My current Squid2.6STABLE4 setup is as follows:

<snip>
https_port webmail:443 \
        defaultsite=webmail.foo.com vhost \
        cert=/usr/local/etc/squid/certs/webmail.foo.com.pem \
        cafile=/etc/CA/ssl/public/vsign-class3.crt \
# clientca=/etc/CA/ssl/public/ca.pem \
# crlfile=/etc/CA/ssl/public/crl.pem \
# sslflags=DELAYED_AUTH \
        capath=/etc/CA/ssl/public

cache_peer x.x.x.x parent 80 0 no-query originserver \
        front-end-https proxy-only no-digest login=PASS connection-auth=off
cache_peer_domain x.x.x.x webmail.foo.com

acl Websites type accelerated
acl Website_domains dstdomain webmail.foo.com

http_access allow Websites Website_domains
http_access deny Websites
</snip>

NOTES:
- As you can see I commented out the section that should be performing
client certificate authentication.
- The cache_peer line shouldn't have the connection-auth=off option

What I need to know is why I can't get it to work e.g.: what should go into
the clientca option?
I have tried with the certificate of the CA (own CA self-signed), but for
some strange reason I get "SSL unknown certificate error 12 (or 20)" and
then a lot of SSL errors indicating that the client didn't supply a
certificate ...

This really gives me a headache ...

TIA

Bert.
Received on Thu Nov 09 2006 - 06:08:33 MST