hi all, have no one any hint or idea ?!? -> laurent . derrien / Henrik Nordstrom .... kind regards, padu Am Mittwoch, den 05.04.2006, 13:33 +0200 schrieb H.Padukience: > Hi, > > we planed to use squid 3.0(-PRE3-20060221) as an SSL Reverse Proxy to > Microsoft IIS with OpenCA Integration. our (test) system environment > looks as follows: > > OS: SuSE Enterprise 9 SP3 > Squid-Version: 3.0-PRE3-20060221 > Squid-Options: --prefix=/usr/local/squid3 --enable-ssl > Squid-Start-Options: /pathto/squid -sNd5Cf /pathto/etc/squid.conf > SSL: openssl-0.9.7d-15.21 > Client-Browser: Microsoft Internet Explorer Version 5,6 > > We only want to accept connections depending on client certificate > validation (from OpenCA). > > Here are the main lines for CA-Integration in squid: > > --squid.conf--snip-- > https_port 443 cert=/pathto/server.cert key=/pathto/server.key version=1 > defaultsite=testserver clientca=/pathto/cacert.pem protocol=http > --snap-- > > After starting IE and select from POPUP-Window our installed client > certificate (user-certificate), the connection stops with errors: > > --snip-- > 2006/04/05 14:51:08.035| clientNegotiateSSL: Error negotiating SSL > connection on FD 11: Aborted by client > > 2006/04/05 14:51:13| clientNegotiateSSL: Error negotiating SSL > connection on FD 11: error:140890C7:SSL > routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate > (1/-1) > > 2006/04/05 14:52:47.747| clientNegotiateSSL: Error negotiating SSL > connection on FD 11: Aborted by client > > 2006/04/05 14:52:54| SSL unknown certificate error 20 > in /C=DE/O=xxxx/OU=Internet/CN=padu/serialNumber=99 > > 2006/04/05 14:52:54| clientNegotiateSSL: Error negotiating SSL > connection on FD 11: error:140890B2:SSL > routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned (1/-1) > > 2006/04/05 14:52:54| SSL unknown certificate error 20 > in /C=DE/O=xxxx/OU=Internet/CN=padu/serialNumber=99 > --snap-- > > Can you please give me a hint how to force (any) clients to authenticate > with certificates? -- Freundliche Gruesse aus Nuernberg, Holger Padukience mailto: hp@xxxxxxx mobil: +49 170 9969293