[squid-users] squid as forward proxy for portal run on tomcat from arielf on 2011-03-17 (squid-users)

From: arielf <arielf_at_il.ibm.com>
Date: Thu, 17 Mar 2011 02:05:50 -0700 (PDT)

Hi all,

I am trying to use squid as a forward proxy for target applications using
both http and https sites
I added the following lines to my squid.conf

http_port 3128 ssl-bump key=/path/mykey.pem cert=/path/mycert.pem
ssl_bump allow all

Now I tested on third party http and https sites, and it works nicely :)
However when I try to proxy a portal that I configured the security keys for
it does not work

From cache.log:
-----BEGIN SSL SESSION PARAMETERS-----
MHECAQECAgMBBAIANQQg0b4mR/aJ5Vez5HNh6dSwUL4vs/d+v+ceEwKpWxHdFoME
MI3ZqOI/+MjpLLsjIoFchf9dxA/wD9aoZZgrbiq6GRtvOTWRRFeaQA1KFfVgmFo7
FaEGAgRNgfR5ogQCAgEspAIEAA==
-----END SSL SESSION PARAMETERS-----
2011/03/17 07:46:01| SSL unknown certificate error 18 in
/C=IL/ST=NA/L=NA/O=IBM/OU=HRL/CN=Magen
2011/03/17 07:46:01| fwdNegotiateSSL: Error negotiating SSL connection on FD
13: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed (1/-1/0)

I actually configured my tomcat and squid with the same security keystore.
Of course tomcat used JKS and squid uses PEM, so I created a self signed JKS
keystore for tomcat and then exported key and cert in PEM format from it to
use for squid.

This is how I did it:
keytool -genkey -keyalg RSA -alias mykey -keystore keystore.jks -storepass
"password" -validity 365
keytool -export -alias mykey -keystore keystore.jks -file mycert.crt
keytool -import -trustcacerts -alias mycert -file mycert.crt -keystore
keystore.jks

keytool -importkeystore -srckeystore keystore.jks -srcstoretype JKS
-deststoretype PKCS12 -destkeystore keystore.p12
openssl pkcs12 -in keystore.p12 -out keystore.pem
openssl rsa -in keystore.pem -out mykey.pem
openssl x509 -in keystore.pem -out mycrt.pem

Then I use: keystore.jks for tomcat, and mykey.pem/mycert.pem for squid

Of course if any of have made this type of configuration work, I am willing
to create any key/cert/keystore for both squid/tomcat since they are both
under my control.

If anyone has an idea how to make this work, I'd be VERY grateful.
Thanks, Ariel.

--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-as-forward-proxy-for-portal-run-on-tomcat-tp3383986p3383986.html
Sent from the Squid - Users mailing list archive at Nabble.com.

Received on Thu Mar 17 2011 - 09:05:57 MDT

This archive was generated by hypermail 2.2.0 : Fri Mar 18 2011 - 12:00:03 MDT