On 25/02/11 06:32, Martin (Jake) Jacobson wrote:
Hi,
I am trying to build a squid box that will proxy requests to two sites
that require a PKI cert. The client doesn't have a cert so I want the
squid box to take a request from the client and submit the certs it
has to retrieve the resource.
I was able to build squid 3.1.11 with ssl support and I have a very
basic squid configuration to test. When I run squid -k parse I see
that squid sees the certs
2011/02/24 17:23:19| Initializing cache_peer akocac SSL context
2011/02/24 17:23:19| Using certificate in /webroot/conf/squid/.ssl/server.crt
2011/02/24 17:23:19| Using private key in /webroot/conf/squid/.ssl/server.key
2011/02/24 17:23:19| NOTICE: Peer certificates are not verified for validity!
2011/02/24 17:23:19| Initializing cache_peer informationassurance SSL context
2011/02/24 17:23:19| Using certificate in /webroot/conf/squid/.ssl/server.crt
2011/02/24 17:23:19| Using private key in /webroot/conf/squid/.ssl/server.key
2011/02/24 17:23:19| NOTICE: Peer certificates are not verified for validity!
BUT when I run squid -Nd1 I don't see any information about using the
certs or private key!!!
Strange,. Check that you do not have another instance of Squid using
another squid.conf sitting around somewhere.
When squid is running I have tried to
1. Configure my web browser to use the squid proxy and retrieve a
resource but instead of the Squid certs being passed, I am requested
to use my certs loaded in my browser.
The major browsers pass https:// requests to the proxy for handling
quite differently to http://.
They only open a CONNECT tunnel instead and do all of the SSL encryption
inside it themselves.
2. Telneting to the box and do a GET request for the resouced
telnet localhost 3128
Connected to linsrcheval2o.
Escape character is '^]'.
GET https://myProtectedSitel/pki/login/external_silent_autologin.jhtml
HTTP/1.0 403 Forbidden
Well, to point out the obvious that is "Forbidden". The test itself if
not forbidden by the ACLs somewhere should have used the squid
cache_peer certs.
Find out which software and controls are blocking it and you will have a
good way to test this setup.
Both cases seem to indicate that squid is not using the PKI cert/key
it has. Here is my configuration file:
cache_peer protectedSite1 parent 443 0 no-query ssl
sslcert=/webroot/conf/squid/.ssl/server.crt
sslkey=/webroot/conf/squid/.ssl/server.key
sslcapath=/webroot/conf/squid/.ssl/ca/ sslversion=3
sslflags=DONT_VERIFY_PEER originserver proxy-only name=site1
cache_peer protectedSite2 sibling 443 0 no-query no-digest
no-netdb-exchange ssl sslcert=/webroot/conf/squid/.ssl/server.crt
sslkey=/webroot/conf/squid/.ssl/server.key
sslcapath=/webroot/conf/squid/.ssl/ca/ sslversion=3
sslflags=DONT_VERIFY_PEER originserver proxy-only name=site2
Assuming the keys are all correct that looks right for encrypting the
origin link from Squid.
Let me know if you need anything else and thanks for the help on this.
In order to get the browsers past their tendency for CONNECT you will
have to setup an http_port with reverse-proxy settings and set the local
DNS to point browsers at your Squid for that particular site.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.11
Beta testers wanted for 3.2.0.5
