Re: Problems with SSL Reverse Proxy and OpenCA Integration

"H.Padukience" <hp@xxxxxxx> · Fri, 07 Apr 2006 15:08:35 +0200

hi all,

have no one any hint or idea ?!?

-> laurent . derrien / Henrik Nordstrom ....

kind regards, padu

Am Mittwoch, den 05.04.2006, 13:33 +0200 schrieb H.Padukience:
> Hi,
> 
> we planed to use squid 3.0(-PRE3-20060221) as an SSL Reverse Proxy to
> Microsoft IIS with OpenCA Integration. our (test) system environment
> looks as follows:
> 
> OS: SuSE Enterprise 9 SP3
> Squid-Version: 3.0-PRE3-20060221
> Squid-Options: --prefix=/usr/local/squid3 --enable-ssl
> Squid-Start-Options: /pathto/squid -sNd5Cf /pathto/etc/squid.conf
> SSL: openssl-0.9.7d-15.21
> Client-Browser: Microsoft Internet Explorer Version 5,6
> 
> We only want to accept connections depending on client certificate
> validation (from OpenCA). 
> 
> Here are the main lines for CA-Integration in squid:
> 
> --squid.conf--snip--
> https_port 443 cert=/pathto/server.cert key=/pathto/server.key version=1
> defaultsite=testserver clientca=/pathto/cacert.pem protocol=http
> --snap--
> 
> After starting IE and select from POPUP-Window our installed client
> certificate (user-certificate), the connection stops with errors:
> 
> --snip--
> 2006/04/05 14:51:08.035| clientNegotiateSSL: Error negotiating SSL
> connection on FD 11: Aborted by client
> 
> 2006/04/05 14:51:13| clientNegotiateSSL: Error negotiating SSL
> connection on FD 11: error:140890C7:SSL
> routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
> (1/-1)
> 
> 2006/04/05 14:52:47.747| clientNegotiateSSL: Error negotiating SSL
> connection on FD 11: Aborted by client
> 
> 2006/04/05 14:52:54| SSL unknown certificate error 20
> in /C=DE/O=xxxx/OU=Internet/CN=padu/serialNumber=99
> 
> 2006/04/05 14:52:54| clientNegotiateSSL: Error negotiating SSL
> connection on FD 11: error:140890B2:SSL
> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned (1/-1)
> 
> 2006/04/05 14:52:54| SSL unknown certificate error 20
> in /C=DE/O=xxxx/OU=Internet/CN=padu/serialNumber=99
> --snap--
> 
> Can you please give me a hint how to force (any) clients to authenticate
> with certificates?

-- 
Freundliche Gruesse aus Nuernberg,

Holger Padukience
mailto: hp@xxxxxxx
mobil: +49 170 9969293