Henrik, >> What I want Squid to do is authenticate the client using client >> certificates >> (That is how my current firewall works) which will be replaced by the >> one I'm building now and which utilizes Squid as the HTTP proxy >> >> My current Squid2.6STABLE4 setup is as follows: >> >> <snip> >> https_port webmail:443 \ >> defaultsite=webmail.foo.com vhost \ >> cert=/usr/local/etc/squid/certs/webmail.foo.com.pem \ >> cafile=/etc/CA/ssl/public/vsign-class3.crt \ >> # clientca=/etc/CA/ssl/public/ca.pem \ >> # crlfile=/etc/CA/ssl/public/crl.pem \ >> # sslflags=DELAYED_AUTH \ >> capath=/etc/CA/ssl/public >DELAYED_AUTH does not work yet.. (as indicated in the comments). OK. I alreay saw this ... >>clientca and crlfile should both work.. clientca will make Squid ask >>the client for a certificate issued by those CAs, and to trust client >>certificates issued by those CAs in addition to the CAs already trusted. >> What I need to know is why I can't get it to work e.g.: what should go >> into the clientca option? >The public certificate(s) of the CA you want to ask the client to >provide a certificate from. I have it setup like this ... >> I have tried with the certificate of the CA (own CA self-signed), but for >> some strange reason I get "SSL unknown certificate error 12 (or 20)" >> and then a lot of SSL errors indicating that the client didn't supply a >> certificate ... >No idea. Worked for me last time I tried.. Hmm, fuzzy then. Which browser did you use? I use IE 7 at the moment .. can that be the problem? Regards Bert.
