Re: [squid-users] clients -- SSL SQUID -- NON SSL webserver from Amos Jeffries on 2010-03-22 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 23 Mar 2010 18:30:27 +1300

Luis Daniel Lucio Quiroz wrote:
> Le Lundi 22 Mars 2010 21:47:05, Guido Marino Lorenzutti a écrit :
>> Hi people: Im trying to give my clients access to my non ssl
>> webservers thru my reverse proxies adding ssl support on them.
>>
>> Like the subject tries to explain:
>>
>> WAN CLIENTS --- SSL SQUID (443) --- NON SSL webserver (80).
>>
>> This is the relevant part of the squid.conf:
>>
>> https_port 22.22.22.22:443 cert=/etc/squid/crazycert.domain.com.crt
>> key=/etc/squid/crazycert.domain.com.key
>> defaultsite=crazycert.domain.com vhost
>> sslflags=VERIFY_CRL_ALL,VERIFY_CRL cafile=/etc/squid/ca.crt
>> clientca=/etc/squid/ca.crt

"cafile=" option overrides the "clientca=" option and contains a single
CA to be checked.

Set clientca= to the file containing the officially accepted global CA
certificates. The type used for multiple certificates is a .PEM file if
I understand it correctly.

If you have issued the clients with certificates signed by your own
custom CA, then add that to the list as well.

I will assume that you know how to do that since you are requiring it.

>>
>> cache_peer crazycert.domain.com parent 80 0 no-query proxy-only
>> originserver login=PASS
>>
>> Im using a self signed certificate and the squid should not allow the
>> connection if the client does not have a valid key.
>>
>> When I try to connect I get this error:
>>
>> 2010/03/23 00:39:47| SSL unknown certificate error 3 in
>> /C=AR/ST=Buenos Aires/L=Ciudad Aut\xF3noma de Buenos Aires/O=Consejo
>> de la Magistratura de la C.A.B.A./OU=Direcci\xF3n de Inform\xE1tica y
>> Tecnolog\xEDa/CN=Guido Marino
>> Lorenzutti/emailAddress=glorenzutti_at_jusbaires.gov.ar
>>
>> 2010/03/23 00:39:47| clientNegotiateSSL: Error negotiating SSL
>> connection on FD 12: error:140890B2:SSL
>> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned (1/-1)
>>
>> Any ideas?
>> I don't think the problem is in the certificates, coz im using them on
>> an apache working like reverse proxy. But I would prefer having squid
>> for everything.
>>
>> Tnxs in advance.
>
> You cant
> look for apache fake-ssl mod to do that

@Luis: What do you mean?

For reverse proxy environments it is possible and easily done AFAIK.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE8 or 3.0.STABLE25
   Current Beta Squid 3.1.0.18

Received on Tue Mar 23 2010 - 05:30:42 MDT

This archive was generated by hypermail 2.2.0 : Wed Mar 24 2010 - 12:00:06 MDT