Il giorno lun, 02/02/2009 alle 11.14 +0100, Mailing List SVR ha scritto: > Il giorno dom, 01/02/2009 alle 10.49 +0100, Mailing List SVR ha scritto: > > Il giorno dom, 01/02/2009 alle 22.10 +1300, Amos Jeffries ha scritto: > > > Mailing List SVR wrote: > > > > Il giorno dom, 01/02/2009 alle 21.56 +1300, Amos Jeffries ha scritto: > > > >> Mailing List SVR wrote: > > > >>> Il giorno dom, 01/02/2009 alle 20.28 +1300, Amos Jeffries ha scritto: > > > >>>> Mailing List SVR wrote: > > > >>>>> Hi all, > > > >>>>> > > > >>>>> I have a soap client using python ZSI, the other end is oracle soa > > > >>>>> 10.1.3.1.0 all works fine since some months. The last week oracle soa > > > >>>>> was configured to accept client certificate authentication over https. > > > >>>>> If I try to use the standard python httplib.HTTPSConnection library it > > > >>>>> fails with the infamous "bad record mac" error and so also ZSI that use > > > >>>>> httplib. Other java tools such as soapui works just fine with oracle > > > >>>>> soa. > > > >>>>> > > > >>>>> Can squid do the hard work for me in the following configuration? > > > >>>>> > > > >>>>> ZSI soap client -> squid proxy over http -> oracle soa https > > > >>>>> > > > >>>>> however squid could be authenticate to oracle soa loading the cert file > > > >>>>> and the cert key from a local file. > > > >>>>> > > > >>>>> So I would like to send my soap request to squid over http and squid > > > >>>>> could connect to oracle soa over https presenting its own client > > > >>>>> certificate (not send from my application but load from local file). > > > >>>>> > > > >>>>> Is this configuration possible? > > > >>>>> > > > >>>>> thanks > > > >>>>> Nicola > > > >>>>> > > > >>>>> > > > >>>> Yes Squid can certainly act as a HTTP->HTTPS proxy for you. > > > >>>> Just configure a normal cache_peer pointing at oracle to using SSL, > > > >>>> http://www.squid-cache.org/Doc/config/cache_peer/ > > > >>>> and configure ZSI to connect to the Squid HTTP port without SSL. > > > >>> thanks but squid need to present a client certificate to authenticate > > > >>> against oracle, cache peer seems lack directive to specify certificate, > > > >>> > > > >> Look again: > > > >> ssl > > > >> sslcert=/path/to/ssl/certificate > > > >> sslkey=/path/to/ssl/key > > > >> sslversion=1|2|3|4 > > > >> sslcipher=... > > > >> ssloptions=... > > > >> > > > >> > > > > > > > > You are right but I'm ot a squid expert so I need some more directions > > > > please. > > > > > > > > I added this line to squid.conf > > > > > > > > cache_peer <oraclesoahostname> parent 443 0 no-query no-digest > > > > no-netdb-exchange proxy-only default ssl > > > > sslcert=/etc/squid/cert/clients1.crt sslkey=/etc/squid/cert/clients1.key > > > > sslversion=1 > > > > > > > > <oraclesoahostanme> is in my hosts file, > > > > > > > > now how squid redirect the request to <oraclesoahostname> and how I can > > > > connect to squid? On standard 3128 port (for example wget > > > > http://<squidip>:squidport/<what here?>>) or I have to use it as http > > > > proxy (export HTTP_PROXY=...)? > > > > > > > > thanks for your patience, > > > > > > > > Nicola > > > > > > > > > > Depends on whether Squid is listening on. > > > Normal http_port 3128 is connected to normally as any other proxy with > > > HTTP to port 3128. > > > > > > If the certificate is working, squid will startup and mention that its > > > read and checked the cert. And requests go out to the peer. > > > > Ok thanks seems to work just fine using my test server (apache with > > client auth certificate), here are the relevant config options: > > > > http_port 3128 accel defaultsite=<test apache site> > > > > cache_peer <test apache site> parent 443 0 no-query no-digest > > no-netdb-exchange ssl sslcert=/etc/squid/cert/clients1.crt > > sslkey=/etc/squid/cert/clients1.key sslversion=1 originserver > > sslflags=DONT_VERIFY_PEER proxy-only default > > > > I'm able to use soap ui towards <squid ip>:3128 and works fine, > > > > however zsi works in my test environment too, oracle soa is a different > > beast (curl, wget python httplib all fails with oracle soa and works > > with both apache and iis https with client certificate), tommorrow I'll > > try with squid in front of it ... > > > > thanks again > > Nicola > > With oracle soa I have the following error: > > fwdNegotiateSSL: Error negotiating SSL connection on FD 15: > error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac > (1/0/0) Solved, I have to force squid to use ssl version 2 only and now works fine, thanks Nicola > > > > > > > > > > > > > > > > Amos > > >
