[squid-users] Client-Side Certificates

From: <techguy005-ml@dont-contact.us>
Date: Thu, 13 Sep 2007 13:18:27 -0700 (PDT)

Thanks Henrik for your guidance however I still cannot
seem to get client certificates to work with Squid
2.6.13 running on RHEL 4.2. Below is the config and
steps I am performing. Any insight as to what I am
doing wrong would be greatly appreciated.

##### Squid Config #####

https_port 192.168.0.2:443 protocol=https accel vhost
cert=/apps/squid2.6.13/etc/ssl/syt-squid.test.com.pem
cafile=/apps/squid2.6.13/etc/ssl/intcatrustedroot.pem
defaultsite=syt-squid.test.com
clientca=/apps/squid2.6.13/etc/ssl/clientca_trusted_root.pem

# Non-SSL Cache Peer
cache_peer 172.16.4.1 parent 80 0 proxy-only
originserver name=test_syt
# ACL
acl test_syt_syt dstdomain syt-squid.test.com
# Non-SSL Cache Peer Access
cache_peer_access test_syt allow test_syt_syt

-------------------------------------

##### Actions Performed #####

1) Verified client-side cert is valid via openssl:

bash-3.00$ openssl verify -CAfile
clientca_trusted_root.pem joe-clientcert.pem
joe-clientcert.pem: OK

2a) Opened Internet Explorer 6 and connected to the
Squid proxy.

2b) IE prompts to select the client-side certificate.

2c) Select the client-side certificate and click OK in
the web browser.

Squid Logs show:

2007/09/13 14:54:55| SSL unknown certificate error 20
in /O=Company, Inc./OU=Services/OU=Company Name -
Something/OU=GroupID - TestTeam/OU=UserID -
JoeSmoe/CN=Joe Smoe/emailAddress=joesmoe@joesmoe.com
2007/09/13 14:54:55| clientNegotiateSSL: Error
negotiating SSL connection on FD 20:
error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
returned (1/-1)
2007/09/13 14:54:55| SSL unknown certificate error 20
in /O=Company, Inc./OU=Services/OU=Company Name -
Something/OU=GroupID - TestTeam/OU=UserID -
JoeSmoe/CN=Joe Smoe/emailAddress=joesmoe@joesmoe.com

2d) IE prompts AGAIN to select the client-side
certificate.

Squid Logs show:

2007/09/13 14:54:57| SSL unknown certificate error 20
in /O=Company, Inc./OU=Services/OU=Company Name -
Something/OU=GroupID - TestTeam/OU=UserID -
JoeSmoe/CN=Joe Smoe/emailAddress=joesmoe@joesmoe.com
2007/09/13 14:54:57| clientNegotiateSSL: Error
negotiating SSL connection on FD 20:
error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
returned (1/-1)
2007/09/13 14:54:57| SSL unknown certificate error 20
in /O=Company, Inc./OU=Services/OU=Company Name -
Something/OU=GroupID - TestTeam/OU=UserID -
JoeSmoe/CN=Joe Smoe/emailAddress=joesmoe@joesmoe.com

I tried the same process with FireFox 2.0.0.6 browser
and got the exact same error messages in the Squid log
file.

I am at a loss as I'm not sure where the problem is.
According to the Squid 2.6 docs, it should be as
simple as adding in the CA cert for the signer of the
client-cert and adding the "clientca=" directive to
the squid.conf file.

The same squid server utilizing normal SSL server
certificates works great! It just seems to be the
client-side certificates that is the issue.

Any help would be appreciated! Thanks!
Received on Thu Sep 13 2007 - 14:18:56 MDT

This archive was generated by hypermail pre-2.1.9 : Mon Oct 01 2007 - 12:00:02 MDT