tor 2006-11-09 klockan 14:07 +0100 skrev Bert Moorthaemer:
> Sorry about that, but for some strange reason your messages get attached as
> text files in my newsreader ... for an explanation see the original quoted
> text above ...
Probably due to the GnuPG signature.
> What I want Squid to do is authenticate the client using client certificates
> (That is how my current firewall works) which will be replaced by the one
> I'm building now and which utilizes Squid as the HTTP proxy
>
> My current Squid2.6STABLE4 setup is as follows:
>
> <snip>
> https_port webmail:443 \
> defaultsite=webmail.foo.com vhost \
> cert=/usr/local/etc/squid/certs/webmail.foo.com.pem \
> cafile=/etc/CA/ssl/public/vsign-class3.crt \
> # clientca=/etc/CA/ssl/public/ca.pem \
> # crlfile=/etc/CA/ssl/public/crl.pem \
> # sslflags=DELAYED_AUTH \
> capath=/etc/CA/ssl/public
DELAYED_AUTH does not work yet.. (as indicated in the comments).
clientca and crlfile should both work.. clientca will make Squid ask
the client for a certificate issued by those CAs, and to trust client
certificates issued by those CAs in addition to the CAs already trusted.
> What I need to know is why I can't get it to work e.g.: what should go into
> the clientca option?
The public certificate(s) of the CA you want to ask the client to
provide a certificate from.
> I have tried with the certificate of the CA (own CA self-signed), but for
> some strange reason I get "SSL unknown certificate error 12 (or 20)" and
> then a lot of SSL errors indicating that the client didn't supply a
> certificate ...
No idea. Worked for me last time I tried..
Regards
Henrik
This archive was generated by hypermail pre-2.1.9 : Fri Dec 01 2006 - 12:00:03 MST