Il giorno dom, 01/02/2009 alle 10.49 +0100, Mailing List SVR ha scritto:
> Il giorno dom, 01/02/2009 alle 22.10 +1300, Amos Jeffries ha scritto:
> > Mailing List SVR wrote:
> > > Il giorno dom, 01/02/2009 alle 21.56 +1300, Amos Jeffries ha scritto:
> > >> Mailing List SVR wrote:
> > >>> Il giorno dom, 01/02/2009 alle 20.28 +1300, Amos Jeffries ha scritto:
> > >>>> Mailing List SVR wrote:
> > >>>>> Hi all,
> > >>>>>
> > >>>>> I have a soap client using python ZSI, the other end is oracle soa
> > >>>>> 10.1.3.1.0 all works fine since some months. The last week oracle soa
> > >>>>> was configured to accept client certificate authentication over https.
> > >>>>> If I try to use the standard python httplib.HTTPSConnection library it
> > >>>>> fails with the infamous "bad record mac" error and so also ZSI that use
> > >>>>> httplib. Other java tools such as soapui works just fine with oracle
> > >>>>> soa.
> > >>>>>
> > >>>>> Can squid do the hard work for me in the following configuration?
> > >>>>>
> > >>>>> ZSI soap client -> squid proxy over http -> oracle soa https
> > >>>>>
> > >>>>> however squid could be authenticate to oracle soa loading the cert file
> > >>>>> and the cert key from a local file.
> > >>>>>
> > >>>>> So I would like to send my soap request to squid over http and squid
> > >>>>> could connect to oracle soa over https presenting its own client
> > >>>>> certificate (not send from my application but load from local file).
> > >>>>>
> > >>>>> Is this configuration possible?
> > >>>>>
> > >>>>> thanks
> > >>>>> Nicola
> > >>>>>
> > >>>>>
> > >>>> Yes Squid can certainly act as a HTTP->HTTPS proxy for you.
> > >>>> Just configure a normal cache_peer pointing at oracle to using SSL,
> > >>>> http://www.squid-cache.org/Doc/config/cache_peer/
> > >>>> and configure ZSI to connect to the Squid HTTP port without SSL.
> > >>> thanks but squid need to present a client certificate to authenticate
> > >>> against oracle, cache peer seems lack directive to specify certificate,
> > >>>
> > >> Look again:
> > >> ssl
> > >> sslcert=/path/to/ssl/certificate
> > >> sslkey=/path/to/ssl/key
> > >> sslversion=1|2|3|4
> > >> sslcipher=...
> > >> ssloptions=...
> > >>
> > >>
> > >
> > > You are right but I'm ot a squid expert so I need some more directions
> > > please.
> > >
> > > I added this line to squid.conf
> > >
> > > cache_peer <oraclesoahostname> parent 443 0 no-query no-digest
> > > no-netdb-exchange proxy-only default ssl
> > > sslcert=/etc/squid/cert/clients1.crt sslkey=/etc/squid/cert/clients1.key
> > > sslversion=1
> > >
> > > <oraclesoahostanme> is in my hosts file,
> > >
> > > now how squid redirect the request to <oraclesoahostname> and how I can
> > > connect to squid? On standard 3128 port (for example wget
> > > http://<squidip>:squidport/<what here?>>) or I have to use it as http
> > > proxy (export HTTP_PROXY=...)?
> > >
> > > thanks for your patience,
> > >
> > > Nicola
> > >
> >
> > Depends on whether Squid is listening on.
> > Normal http_port 3128 is connected to normally as any other proxy with
> > HTTP to port 3128.
> >
> > If the certificate is working, squid will startup and mention that its
> > read and checked the cert. And requests go out to the peer.
>
> Ok thanks seems to work just fine using my test server (apache with
> client auth certificate), here are the relevant config options:
>
> http_port 3128 accel defaultsite=<test apache site>
>
> cache_peer <test apache site> parent 443 0 no-query no-digest
> no-netdb-exchange ssl sslcert=/etc/squid/cert/clients1.crt
> sslkey=/etc/squid/cert/clients1.key sslversion=1 originserver
> sslflags=DONT_VERIFY_PEER proxy-only default
>
> I'm able to use soap ui towards <squid ip>:3128 and works fine,
>
> however zsi works in my test environment too, oracle soa is a different
> beast (curl, wget python httplib all fails with oracle soa and works
> with both apache and iis https with client certificate), tommorrow I'll
> try with squid in front of it ...
>
> thanks again
> Nicola
With oracle soa I have the following error:
fwdNegotiateSSL: Error negotiating SSL connection on FD 15:
error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac
(1/0/0)
>
>
>
>
> >
> > Amos
>
Received on Mon Feb 02 2009 - 10:14:55 MST
This archive was generated by hypermail 2.2.0 : Tue Feb 03 2009 - 12:00:02 MST