Erwan Le Du wrote:
> Hi,
> I'm using "squid" as a reverse proxy to allow the users to connect to
> exchange 2007 from the outside. All is ok(OWA and RPC overs https) but
> I would like to know if we can secure the connections with a
> certificate. I would like that the users must have inevitably the
> certificate to connect to the Outlook web access. For the moment if I
> have not the certificate I have a warning from the internet browser
> (because it 's a self signed certificate ) but I can continue and
> finally "catch" the owa interface" ... With apache I can use
> SSLVerifyClient but I don't know if it's possible with squid as a
> reverse proxy. Otherwise I can enable the option "client certificate
> require" in the ssl settings for the folder "owa" in IIS 7 but I would
> like to connect to outlook web access from the internal network
> without certificate.
Sure you can. These three things can be done to strengthen the
certificate security chain:
* Remove the "sslflags=DONT_VERIFY_PEER" and Squid will check that the
certificate provided by OWA is valid and trustworthy. Rejecting
connections to the peer if not.
* Setting a client certificate which OWA trusts into the squid
cache_peer line. Will strengthen the link between Squid and OWA and
permit OWA to check that it is Squid doing the contact.
(NP: says nothing about clients using Squid though, only the
particular Squid->OWA link)
* Having the certificate presented by https_port signed properly by a
CA which the clients trust. Will resolve that self-signed warning.
OR
* Having the certificate presented by https_port signed properly by a
CA which the clients trust. Will resolve that self-signed warning.
* Specifying clientca= option on https_port can set the list of
trusted CA used to verify the visiting clients' certificate.
Amos
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.7 Beta testers wanted for 3.2.0.1Received on Sat Aug 28 2010 - 23:30:45 MDT
This archive was generated by hypermail 2.2.0 : Sun Aug 29 2010 - 12:00:07 MDT