[squid-users] Re: Re: Re: Can't get SSL proxy to work withMSExchange OWA

From: Bert Moorthaemer <bert.moorthaemer@dont-contact.us>
Date: Fri, 10 Nov 2006 13:35:34 +0100

Hi Henrik,

Any comments?

TIA

Bert.

"Bert Moorthaemer" <bert.moorthaemer@blumex.com> wrote in message
news:eiv96v$2jv$1@sea.gmane.org...
> Hi Henrik,
>
>>>>> Solved! I needed to point the cafile option to the the new VeriSign
>>>>> cert ..
>
>>>>Or add the certificate chain to the certificate, starting with the
>>>>server certificate and followed by the issuing certificates down to the
>>>>level trusted by browsers. What most people do.
>
>>> Yes I tried that, but it didn't make any difference. The intermidiate
>>> certificate was still marked as invalid.
>
>>Sorry, my memory is a little dim without any quoted context on the
>>discussion. What did you try? And why?
>
> Sorry about that, but for some strange reason your messages get attached
> as text files in my newsreader ... for an explanation see the original
> quoted text above ...
>
>>> Concerning my other question (about
>>> client authentication using certificates) Is there anything I need to
>>> patch
>>> to make this work? If there isn't ... what do I need to do to make this
>>> work?
>
>>If the backend server is dependent on authentication using client
>>certificates then it's SSL port need to be published on the Internet
>>with no reverse proxy inbetween.
>
> What I want Squid to do is authenticate the client using client
> certificates (That is how my current firewall works) which will be
> replaced by the one I'm building now and which utilizes Squid as the HTTP
> proxy
>
> My current Squid2.6STABLE4 setup is as follows:
>
> <snip>
> https_port webmail:443 \
> defaultsite=webmail.foo.com vhost \
> cert=/usr/local/etc/squid/certs/webmail.foo.com.pem \
> cafile=/etc/CA/ssl/public/vsign-class3.crt \
> # clientca=/etc/CA/ssl/public/ca.pem \
> # crlfile=/etc/CA/ssl/public/crl.pem \
> # sslflags=DELAYED_AUTH \
> capath=/etc/CA/ssl/public
>
> cache_peer x.x.x.x parent 80 0 no-query originserver \
> front-end-https proxy-only no-digest login=PASS connection-auth=off
> cache_peer_domain x.x.x.x webmail.foo.com
>
> acl Websites type accelerated
> acl Website_domains dstdomain webmail.foo.com
>
> http_access allow Websites Website_domains
> http_access deny Websites
> </snip>
>
> NOTES:
> - As you can see I commented out the section that should be performing
> client certificate authentication.
> - The cache_peer line shouldn't have the connection-auth=off option
>
> What I need to know is why I can't get it to work e.g.: what should go
> into the clientca option?
> I have tried with the certificate of the CA (own CA self-signed), but for
> some strange reason I get "SSL unknown certificate error 12 (or 20)" and
> then a lot of SSL errors indicating that the client didn't supply a
> certificate ...
>
> This really gives me a headache ...
>
> TIA
>
> Bert.
>
>
>
>
Received on Fri Nov 10 2006 - 05:36:07 MST

This archive was generated by hypermail pre-2.1.9 : Fri Dec 01 2006 - 12:00:03 MST