Le Lundi 22 Mars 2010 23:30:27, Amos Jeffries a écrit :
> Luis Daniel Lucio Quiroz wrote:
> > Le Lundi 22 Mars 2010 21:47:05, Guido Marino Lorenzutti a écrit :
> >> Hi people: Im trying to give my clients access to my non ssl
> >> webservers thru my reverse proxies adding ssl support on them.
> >>
> >> Like the subject tries to explain:
> >>
> >> WAN CLIENTS --- SSL SQUID (443) --- NON SSL webserver (80).
> >>
> >> This is the relevant part of the squid.conf:
> >>
> >> https_port 22.22.22.22:443 cert=/etc/squid/crazycert.domain.com.crt
> >> key=/etc/squid/crazycert.domain.com.key
> >> defaultsite=crazycert.domain.com vhost
> >> sslflags=VERIFY_CRL_ALL,VERIFY_CRL cafile=/etc/squid/ca.crt
> >> clientca=/etc/squid/ca.crt
>
> "cafile=" option overrides the "clientca=" option and contains a single
> CA to be checked.
>
> Set clientca= to the file containing the officially accepted global CA
> certificates. The type used for multiple certificates is a .PEM file if
> I understand it correctly.
>
> If you have issued the clients with certificates signed by your own
> custom CA, then add that to the list as well.
>
> I will assume that you know how to do that since you are requiring it.
>
> >> cache_peer crazycert.domain.com parent 80 0 no-query proxy-only
> >> originserver login=PASS
> >>
> >> Im using a self signed certificate and the squid should not allow the
> >> connection if the client does not have a valid key.
> >>
> >> When I try to connect I get this error:
> >>
> >> 2010/03/23 00:39:47| SSL unknown certificate error 3 in
> >> /C=AR/ST=Buenos Aires/L=Ciudad Aut\xF3noma de Buenos Aires/O=Consejo
> >> de la Magistratura de la C.A.B.A./OU=Direcci\xF3n de Inform\xE1tica y
> >> Tecnolog\xEDa/CN=Guido Marino
> >> Lorenzutti/emailAddress=glorenzutti_at_jusbaires.gov.ar
> >>
> >> 2010/03/23 00:39:47| clientNegotiateSSL: Error negotiating SSL
> >> connection on FD 12: error:140890B2:SSL
> >> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned (1/-1)
> >>
> >> Any ideas?
> >> I don't think the problem is in the certificates, coz im using them on
> >> an apache working like reverse proxy. But I would prefer having squid
> >> for everything.
> >>
> >> Tnxs in advance.
> >
> > You cant
> > look for apache fake-ssl mod to do that
>
> @Luis: What do you mean?
>
> For reverse proxy environments it is possible and easily done AFAIK.
>
> Amos
OH, I did try that scenario once ago and I couldnt
Received on Tue Mar 23 2010 - 05:46:08 MDT
This archive was generated by hypermail 2.2.0 : Tue Mar 23 2010 - 12:00:06 MDT