Re: [squid-users] Reverse proxy: http to https and certificate authentication from Mailing List SVR on 2009-02-04 (squid-users)

From: Mailing List SVR <lists_at_svrinformatica.it>
Date: Wed, 04 Feb 2009 09:22:56 +0100

Il giorno mar, 03/02/2009 alle 17.20 +0100, Matus UHLAR - fantomas ha
scritto:
> > > > > >>>>> I have a soap client using python ZSI, the other end is oracle soa
> > > > > >>>>> 10.1.3.1.0 all works fine since some months. The last week oracle soa
> > > > > >>>>> was configured to accept client certificate authentication over https.
> > > > > >>>>> If I try to use the standard python httplib.HTTPSConnection library it
> > > > > >>>>> fails with the infamous "bad record mac" error and so also ZSI that use
> > > > > >>>>> httplib. Other java tools such as soapui works just fine with oracle
> > > > > >>>>> soa.
> > > > > >>>>>
> > > > > >>>>> Can squid do the hard work for me in the following configuration?
> > > > > >>>>>
> > > > > >>>>> ZSI soap client -> squid proxy over http -> oracle soa https
> > > > > >>>>>
> > > > > >>>>> however squid could be authenticate to oracle soa loading the cert file
> > > > > >>>>> and the cert key from a local file.
> > > > > >>>>>
> > > > > >>>>> So I would like to send my soap request to squid over http and squid
> > > > > >>>>> could connect to oracle soa over https presenting its own client
> > > > > >>>>> certificate (not send from my application but load from local file).
> > > > > >>>>>
> > > > > >>>>> Is this configuration possible?
>
> [...]
>
> > > With oracle soa I have the following error:
> > >
> > > fwdNegotiateSSL: Error negotiating SSL connection on FD 15:
> > > error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac
> > > (1/0/0)
>
> On 03.02.09 12:21, Mailing List SVR wrote:
> > Solved, I have to force squid to use ssl version 2 only and now works
> > fine,
>
> SSL2 is unsecure. Did you tru forcing tls1 or ssl3?

Yes I know ssl2 is unsecure I tried to set sslversion to all available
values (automatic,ssl2,ssl3,tlsv1) but only ssl2 works. The really
strange think is that automatic protocol selection always fails not only
with squid (python,httplib,wget,curl all give bad record mac error). I
think there is a misconfiguration on the other side (oracle soa) but I
have no control on it

>
Received on Wed Feb 04 2009 - 08:23:14 MST

This archive was generated by hypermail 2.2.0 : Wed Feb 04 2009 - 12:00:01 MST