Hi, we planed to use squid 3.0(-PRE3-20060221) as an SSL Reverse Proxy to Microsoft IIS with OpenCA Integration. our (test) system environment looks as follows: OS: SuSE Enterprise 9 SP3 Squid-Version: 3.0-PRE3-20060221 Squid-Options: --prefix=/usr/local/squid3 --enable-ssl Squid-Start-Options: /pathto/squid -sNd5Cf /pathto/etc/squid.conf SSL: openssl-0.9.7d-15.21 Client-Browser: Microsoft Internet Explorer Version 5,6 We only want to accept connections depending on client certificate validation (from OpenCA). Here are the main lines for CA-Integration in squid: --squid.conf--snip-- https_port 443 cert=/pathto/server.cert key=/pathto/server.key version=1 defaultsite=testserver clientca=/pathto/cacert.pem protocol=http --snap-- After starting IE and select from POPUP-Window our installed client certificate (user-certificate), the connection stops with errors: --snip-- 2006/04/05 14:51:08.035| clientNegotiateSSL: Error negotiating SSL connection on FD 11: Aborted by client 2006/04/05 14:51:13| clientNegotiateSSL: Error negotiating SSL connection on FD 11: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate (1/-1) 2006/04/05 14:52:47.747| clientNegotiateSSL: Error negotiating SSL connection on FD 11: Aborted by client 2006/04/05 14:52:54| SSL unknown certificate error 20 in /C=DE/O=xxxx/OU=Internet/CN=padu/serialNumber=99 2006/04/05 14:52:54| clientNegotiateSSL: Error negotiating SSL connection on FD 11: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned (1/-1) 2006/04/05 14:52:54| SSL unknown certificate error 20 in /C=DE/O=xxxx/OU=Internet/CN=padu/serialNumber=99 --snap-- Can you please give me a hint how to force (any) clients to authenticate with certificates? -- Kind Regards from Nuernberg, Holger Padukience mailto: hp@xxxxxxx mobil: +49 170 9969293
