tor 2006-11-09 klockan 14:07 +0100 skrev Bert Moorthaemer: > Sorry about that, but for some strange reason your messages get attached as > text files in my newsreader ... for an explanation see the original quoted > text above ... Probably due to the GnuPG signature. > What I want Squid to do is authenticate the client using client certificates > (That is how my current firewall works) which will be replaced by the one > I'm building now and which utilizes Squid as the HTTP proxy > > My current Squid2.6STABLE4 setup is as follows: > > <snip> > https_port webmail:443 \ > defaultsite=webmail.foo.com vhost \ > cert=/usr/local/etc/squid/certs/webmail.foo.com.pem \ > cafile=/etc/CA/ssl/public/vsign-class3.crt \ > # clientca=/etc/CA/ssl/public/ca.pem \ > # crlfile=/etc/CA/ssl/public/crl.pem \ > # sslflags=DELAYED_AUTH \ > capath=/etc/CA/ssl/public DELAYED_AUTH does not work yet.. (as indicated in the comments). clientca and crlfile should both work.. clientca will make Squid ask the client for a certificate issued by those CAs, and to trust client certificates issued by those CAs in addition to the CAs already trusted. > What I need to know is why I can't get it to work e.g.: what should go into > the clientca option? The public certificate(s) of the CA you want to ask the client to provide a certificate from. > I have tried with the certificate of the CA (own CA self-signed), but for > some strange reason I get "SSL unknown certificate error 12 (or 20)" and > then a lot of SSL errors indicating that the client didn't supply a > certificate ... No idea. Worked for me last time I tried.. Regards Henrik
Attachment:
signature.asc
Description: Detta =?ISO-8859-1?Q?=E4r?= en digitalt signerad meddelandedel
