Hello,
I have a problem regarding the authentication of client certificates.
The situation:
We have an application server (appsrv), running a web-application on
port 7511 (plaintext http). Internal clients connect to this server
using plain http over port 7511 directly to the server. External
clients connect using https over port 443 through a reverse proxy. The
proxy connects plain http to port 7511 on the appsrv.
Corporate policy requires us to place the reverse proxy in a "secure
subnet" (ssn). This is a sort of dmz behind a dmz. Note that the proxy
now has no working connection to the Internet.
In the dmz exists machine that does a port-forwarding of port 443 to
our proxy. The firewalls are configured to allow that.
Our proxy connects to port 7511 of the appsrv. The firewalls are
configured to allow that too.
Internet -- firewall -- dmz -- firewall -- ssn -- firewal -- local lan
| | | |
clients ----443---> port forw. --443-> rev. proxy ----7511---> appsrv
The reverse proxy is a Squid-cache, version 2.6.STABLE19, running on
Red Hat Enterprise Linux AS release 4 (Nahant Update 6).
The config of the squid box is (more or less) as follows
https_port <our_ip>:443 \
cert=/etc/ssl/server.crt \
key=/etc/ssl/server.key \
clientca=/etc/ssl/clientca.ca-bundle \
cafile=/etc/ssl/root.ca-bundle \
defaultsite=appsrv \
vhost \
sslflags=NO_SESSION_REUSE
cache_peer appsrv parent 7511 0 originserver no-query default no-digest
I've got a few questions about this, which I can't find in the manual,
the FAQ and, for that matter with Google.
First, the browser (IE and FF) give me a selection box where I can
select the client certificate to use. But not all client certificates
I installed are listed. How does the browser know which certificates
to select, or, how does the server tell this to the browser?
Second, the only way out to the internet is through another proxy (I
think a Microsoft ISA server). How can I tell Squid (or OpenSSL) to
use this proxy for outgoing CA and CRL verification requests. I have
put 'http_proxy="http://192.168.x.y:8080";' into the
/etc/sysconfig/network file, which is sourced by /etc/init.d/squid,
but I haven't been able to verify if this is working.
Third. Recently we changed to another SSL provider (Comodo) and I've
changed something in the configuration and client certificate
verification didn't work anymore. I'ver tried some things, but I'm at
a loss here. Can anyone clarify what actually happens during client
verification? Currently I've disabled client certificate verification
(removed the clientca line), so the users can still work. I don't have
a test platform, and the pilot site was forced into production before
I had time to test it all.
I've read somewhere that this client certificate stuff in Squid is
still experimental, but we'd really want to have it working.
Thanks in advance,
Kind Regards,
Alex van Denzel.
