This may sound insane, but here goes. I've got a file distribution
system that relies on client certificate authentication through SSL
(https) to authenticate clients prior to delivery of files. Typical
apache with ssl and client cert setup. I have reached a situation,
however, where it would be convenient to create a tiered system of
caches of said files. My thought was to use squid to do this as follows:
Server stays the same - requires client cert to return a file.
Squid proxy is set up on a box with a valid client cert, setting up
sslproxy_* to point to valid client certs. Squid is also configured
with https to require client certs for connection to Squid (this last
part is less important - the clients in this particular setup are
actually on a private network that is not considered at risk). When the
client makes a request for a file, squid makes the request using its
authorized cert, and then serves the file down-stream.
From my initial reading of the squid configs and documentation I could
find, it seemed like this would be possible. I have tried it, and it
doesn't seem to be working. I get the (apparently common) SSL 'CONNECT'
error:
clientNegotiateSSL: Error negotiating SSL connection on FD 11:
error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request (1/-1)
Is what I'm trying to do even possible with Squid? I'm using version
2.6.STABLE6 on Centos 5.2. I'd be happy to send my squid configs if
that'd help. Any help would be apprecaited ;-)
Justin Binns
