RE: [squid-users] user_cert ACL in accel mode

From: Henrik Nordstrom <>
Date: Sun, 29 Feb 2004 16:30:09 +0100 (CET)

On Sun, 29 Feb 2004, David Hajek wrote:

> Yes, it works when sslflags=DELAYED_AUTH is not set - but errors in log file
> are still there (but now it works)
> 2004/02/29 14:24:05.425| Initialising SSL.
> 2004/02/29 14:24:05.425| Error error setting CA certificate locations:
> error:00000000:lib(0):func(0):reason(0)
> 2004/02/29 14:24:05.425| continuing anyway...

As I said this is a different thing and harmless, most likely from the
initialization of the SSL client code due to not having sslproxy_cafile

There is quite many SSL contexts in Squid-3:

  * One per https_port
  * One per ssl enabled cache_peer
  * One global for forwarding of https:// requests (sslproxy_* directives)

> OK. So I'm unable to use ldap auth for some of the users and client
> certs for the others until DELAYED_AUTH is implemented. In other words I
> can't use ACL options related to user certificate matching. Any
> timeframe on this?

The timeframe is when I (or MARA Systems) have a customer requiring the
functionality, or someone else submits a patch implementing the function.
I have not yet studied how complex it would be to add the renegotiation
requirements to request SSL certificates in the ACL code but it probably
isn't all trivial. SSL certificate negotiation is quite different from all
other forms of authentication or acl checks.

Received on Sun Feb 29 2004 - 09:15:12 MST

This archive was generated by hypermail pre-2.1.9 : Mon Mar 01 2004 - 12:00:03 MST