Hi Henrik,
>>>> Solved! I needed to point the cafile option to the the new VeriSign
>>>> cert ..
>>>Or add the certificate chain to the certificate, starting with the
>>>server certificate and followed by the issuing certificates down to the
>>>level trusted by browsers. What most people do.
>> Yes I tried that, but it didn't make any difference. The intermidiate
>> certificate was still marked as invalid.
>Sorry, my memory is a little dim without any quoted context on the
>discussion. What did you try? And why?
Sorry about that, but for some strange reason your messages get attached as
text files in my newsreader ... for an explanation see the original quoted
text above ...
>> Concerning my other question (about
>> client authentication using certificates) Is there anything I need to
>> patch
>> to make this work? If there isn't ... what do I need to do to make this
>> work?
>If the backend server is dependent on authentication using client
>certificates then it's SSL port need to be published on the Internet
>with no reverse proxy inbetween.
What I want Squid to do is authenticate the client using client certificates
(That is how my current firewall works) which will be replaced by the one
I'm building now and which utilizes Squid as the HTTP proxy
My current Squid2.6STABLE4 setup is as follows:
<snip>
https_port webmail:443 \
defaultsite=webmail.foo.com vhost \
cert=/usr/local/etc/squid/certs/webmail.foo.com.pem \
cafile=/etc/CA/ssl/public/vsign-class3.crt \
# clientca=/etc/CA/ssl/public/ca.pem \
# crlfile=/etc/CA/ssl/public/crl.pem \
# sslflags=DELAYED_AUTH \
capath=/etc/CA/ssl/public
cache_peer x.x.x.x parent 80 0 no-query originserver \
front-end-https proxy-only no-digest login=PASS connection-auth=off
cache_peer_domain x.x.x.x webmail.foo.com
acl Websites type accelerated
acl Website_domains dstdomain webmail.foo.com
http_access allow Websites Website_domains
http_access deny Websites
</snip>
NOTES:
- As you can see I commented out the section that should be performing
client certificate authentication.
- The cache_peer line shouldn't have the connection-auth=off option
What I need to know is why I can't get it to work e.g.: what should go into
the clientca option?
I have tried with the certificate of the CA (own CA self-signed), but for
some strange reason I get "SSL unknown certificate error 12 (or 20)" and
then a lot of SSL errors indicating that the client didn't supply a
certificate ...
This really gives me a headache ...
TIA
Bert.
