Hi Henrik, Any comments? TIA Bert. "Bert Moorthaemer" <bert.moorthaemer@xxxxxxxxxx> wrote in message news:eiv96v$2jv$1@xxxxxxxxxxxxxxxx > Hi Henrik, > >>>>> Solved! I needed to point the cafile option to the the new VeriSign >>>>> cert .. > >>>>Or add the certificate chain to the certificate, starting with the >>>>server certificate and followed by the issuing certificates down to the >>>>level trusted by browsers. What most people do. > >>> Yes I tried that, but it didn't make any difference. The intermidiate >>> certificate was still marked as invalid. > >>Sorry, my memory is a little dim without any quoted context on the >>discussion. What did you try? And why? > > Sorry about that, but for some strange reason your messages get attached > as text files in my newsreader ... for an explanation see the original > quoted text above ... > >>> Concerning my other question (about >>> client authentication using certificates) Is there anything I need to >>> patch >>> to make this work? If there isn't ... what do I need to do to make this >>> work? > >>If the backend server is dependent on authentication using client >>certificates then it's SSL port need to be published on the Internet >>with no reverse proxy inbetween. > > What I want Squid to do is authenticate the client using client > certificates (That is how my current firewall works) which will be > replaced by the one I'm building now and which utilizes Squid as the HTTP > proxy > > My current Squid2.6STABLE4 setup is as follows: > > <snip> > https_port webmail:443 \ > defaultsite=webmail.foo.com vhost \ > cert=/usr/local/etc/squid/certs/webmail.foo.com.pem \ > cafile=/etc/CA/ssl/public/vsign-class3.crt \ > # clientca=/etc/CA/ssl/public/ca.pem \ > # crlfile=/etc/CA/ssl/public/crl.pem \ > # sslflags=DELAYED_AUTH \ > capath=/etc/CA/ssl/public > > cache_peer x.x.x.x parent 80 0 no-query originserver \ > front-end-https proxy-only no-digest login=PASS connection-auth=off > cache_peer_domain x.x.x.x webmail.foo.com > > acl Websites type accelerated > acl Website_domains dstdomain webmail.foo.com > > http_access allow Websites Website_domains > http_access deny Websites > </snip> > > NOTES: > - As you can see I commented out the section that should be performing > client certificate authentication. > - The cache_peer line shouldn't have the connection-auth=off option > > What I need to know is why I can't get it to work e.g.: what should go > into the clientca option? > I have tried with the certificate of the CA (own CA self-signed), but for > some strange reason I get "SSL unknown certificate error 12 (or 20)" and > then a lot of SSL errors indicating that the client didn't supply a > certificate ... > > This really gives me a headache ... > > TIA > > Bert. > > > >
