Henrik,
>> What I want Squid to do is authenticate the client using client
>> certificates
>> (That is how my current firewall works) which will be replaced by the
>> one I'm building now and which utilizes Squid as the HTTP proxy
>>
>> My current Squid2.6STABLE4 setup is as follows:
>>
>> <snip>
>> https_port webmail:443 \
>> defaultsite=webmail.foo.com vhost \
>> cert=/usr/local/etc/squid/certs/webmail.foo.com.pem \
>> cafile=/etc/CA/ssl/public/vsign-class3.crt \
>> # clientca=/etc/CA/ssl/public/ca.pem \
>> # crlfile=/etc/CA/ssl/public/crl.pem \
>> # sslflags=DELAYED_AUTH \
>> capath=/etc/CA/ssl/public
>DELAYED_AUTH does not work yet.. (as indicated in the comments).
OK. I alreay saw this ...
>>clientca and crlfile should both work.. clientca will make Squid ask
>>the client for a certificate issued by those CAs, and to trust client
>>certificates issued by those CAs in addition to the CAs already trusted.
>> What I need to know is why I can't get it to work e.g.: what should go
>> into the clientca option?
>The public certificate(s) of the CA you want to ask the client to
>provide a certificate from.
I have it setup like this ...
>> I have tried with the certificate of the CA (own CA self-signed), but for
>> some strange reason I get "SSL unknown certificate error 12 (or 20)"
>> and then a lot of SSL errors indicating that the client didn't supply a
>> certificate ...
>No idea. Worked for me last time I tried..
Hmm, fuzzy then. Which browser did you use? I use IE 7 at the moment .. can
that be the problem?
Regards
Bert.
Received on Sat Nov 11 2006 - 06:00:06 MST
This archive was generated by hypermail pre-2.1.9 : Fri Dec 01 2006 - 12:00:03 MST