Re: [squid-users] NTLM passthrough over https breaks during NTLM handshake

From: Benjamin Indermühle <benjamin_at_inthemill.ch>
Date: Fri, 18 Sep 2009 17:23:41 +0200

On 18.09.2009, at 16:12, Amos Jeffries wrote:

> Benjamin Indermühle wrote:
>> Hello
>> I am trying to setup a squid between my exchange server and the
>> outside world.
>> I am having troubles getting ntlm to work.
>> [internet]---<https>---[squid]---<https>---[exchange]
>> Squid's job would be to terminate the ssl connection and start a
>> new one the the ntlm server and pass the ntlm authorization through
>> to exchange.
>> The ssl connections squid -> exchange is getting terminated with
>> following error in squid
>> 2009/09/18 09:05:38| fwdNegotiateSSL: Error negotiating SSL
>> connection on FD 18: error:00000000:lib(0):func(0):reason(0) (5/0/0)
>> 2009/09/18 09:05:38| TCP connection to xchg07-dev-be.dev.domain.com
>> (10.1.3.20:443) failed
>> If I switch the connection Squid <-> exchange to http the
>> connection does not break. and ntlm auth works
>
> Your SSL certificate may be being rejected by the Exchange server
> then.

I doubt that.
ntlm breaks during the handshake and not when starting the connection.
the ssl connection is established.
plain auth also works which wouldn't if the exchange server wouldn't
accept the client cert ( an error would be displayed )
+ owa works
when i look at the tcp stream there is no break of negotiation from
the exchange, squid resends a client hello on a open ssl tunnel which
in turn causes exchange to terminate the connection.

>
>> I have tried all kinds of parameters in the configuration
>> With or without client certificate, nothing helped the connection
>> terminates every time.
>> I have also tried different version of Squid namely:
>> Squid Cache: Version 2.7 STABLE6
>> Squid Cache: Version 2.6 STABLE20
>> I am running Centos5 on the Server
>> I took a closer look at the ntlm handshake and made a tcpdump on
>> squid to see how and when the connection is terminated
>> >>>>>>>>>>>>> Page Request
>> Please authenticate with NTLM <<<<<<
>> >>>>>>>>>>>>> NTLM negotiate
>> NTLM challenge <<<<<<<<<<<<<<<<<<<
>> TCP Connection should not be terminated from here on
>> Squid resends Client Hello package
>> Exchange terminates connection.
>> Connection is reopened.
>> >>>>>>>>>>>> NTLM AUthentication
>> RESET <<<<<<<<<<<<<<<<<<<<<<
>> This is my squid config
>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>> extension_methods RPC_IN_DATA RPC_OUT_DATA
>> https_port 10.1.16.33:443 cert=/etc/squid/ssl/webmail-dev.crt key=/
>> etc/squid/ssl/webmail-dev.key cafile=/etc/squid/ssl/webmail-dev.crt
>> defaultsite=webmail-dev.domain.com
>> cache_peer 10.1.3.20 parent 443 0 no-query originserver login=PASS
>> ssl sslcert=/etc/squid/ssl/sextans-be.cert sslkey=/etc/squid/ssl/
>> sextans-be.key sslcafile=/etc/squid/ssl/someca-cax509.cert
>> # access control
>> acl all src 0.0.0.0/0.0.0.0
>> # basic URL based access restriction for DEV Exchange 2007
>> acl url_allow url_regex -i ^https://webmail-dev.domain.com/
>> http_access allow url_allow
>> http_access deny all
>> # extra access log file
>> access_log /var/log/squid/access.log
>> <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
>> any help would be appreciated.
>> Best regards
>> Benjamin Indermühle
>
> http://wiki.squid-cache.org/ConfigExamples/Reverse/ExchangeRpc
>
> * You are missing a never_direct entry.
> * Your certificate settings differ from those known to work with
> Exchange.
> * you are using a full URL regex to match a simple domain name. Use
> dstdomain instead.
>
I have changed my squid configuration accordingly.
the problem persits.

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
# Define the required extension methods
extension_methods RPC_IN_DATA RPC_OUT_DATA

https_port 10.1.16.33:443 cert=/etc/squid/ssl/webmail-dev.crt.pem
defaultsite=webmail-dev.domain.com
cache_peer 10.1.3.20 parent 443 0 no-query originserver login=PASS ssl
sslcert=/etc/squid/ssl/sextans-be.pem name=exchangeServer

acl EXCH dstdomain webmail-dev.domain.com
acl all src 0.0.0.0/0.0.0.0

cache_peer_access exchangeServer allow EXCH
cache_peer_access exchangeServer deny all
never_direct allow EXCH

http_access allow EXCH
http_access deny all
miss_access allow EXCH
miss_access deny all
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
Received on Fri Sep 18 2009 - 15:23:50 MDT

This archive was generated by hypermail 2.2.0 : Sat Sep 19 2009 - 12:00:03 MDT