Re: Squid with encrypted authentication vs. Novell BorderManager

From: Oskar Pearson <>
Date: Thu, 27 Nov 1997 15:31:08 +0200


> The main problem I see with this approach (aside of the politics against
> using Linux) is that Squid authentication is normally unencrypted HTTP
> Basic Authentication, i.e. user ID and Passwords "in the clear" (well,
> Base64 encoded) *on every hit*. How plausible is it to force clients to

I am not sure which browsers support rfc2069.txt authentication...
it might be possible to build it into squid.

> authenticate to a Squid proxy via SSL (using SSLeay, perhaps) to avoid this
> problem? I don't mind doing some coding/hacking in my spare time, but a
> major development effort is out of the question.
It should be possible - you will have to kludge it rather seriously though.
You would have to send an occasional (every hour or what?) redirect
to a page that asks them to authenticate via SSL. Then you would
put their IP into a list of IP->user mappings and from then on authenticate
with IP.... good luck... it's ugly.

> The second approach is Novell BorderManager. I am very concerned about its
> scalability, and do not yet know if its authentication and session
> management meet our needs either, but it certainly sounds promising on the
It must surely also use cleartext stuff?

> surface. It supports ICP and is supposed to be "Squid-derived" (though I
> rather doubt that given Squid's GPL, perhaps it is really Harvest-derived).
> Has anyone compared its performance/scalability vs., say, Squid on Linux on
> the same hardware?
It's Novell - as far as I know it doesn't compete at the OS level
(Novell is a file-server at heart, not a program box)

"Haven't slept at all. I don't see why people insist on sleeping. You feel
so much better if you don't. And how can anyone want to lose a minute -
a single minute of being alive?"				-- Think Twice
Received on Thu Nov 27 1997 - 05:40:17 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:37:44 MST