Reiner Menkens wrote:
Hi,
we are using squid (3.0) in accelerator mode using https:
https_port 443 cert=/etc/squid/cert.pem key=/etc/squid/key.pem
defaultsite=mail.domain.de
cache_peer 10.1.1.1 parent 443 0 no-query originserver ssl
sslflags=DONT_VERIFY_PEER name=mail.domain.de
...some acls...
this is working fine.
Now our customer wants to add a little bit security by authenticating
the clients on the internet using client certificates. Is it possible to
make squid request a client certificate (and if it is- how)? Or does the
"real server" have to request the certificate? I didn't find something
like that in the docs - if I missed that, please give me a hint where to
find it.
client (internet) -----> squid (DMZ) -----> real server
client-cert? check if client
cert is valid?
(My knowledge is low regarding the cert handshake, so take with salt).
I believe that is done by the clients themselves verifying Squids' cert.
Just make sure it is signed by a public authority the clients can trust.
Squid verifying the back-end peer cert is done by simply removing the
"sslflags=DONT_VERIFY_PEER" and ensuring the cert Squid uses is properly
signed by an authority the peer trusts.
Be careful the certs are all fine before removing that option, it will
result in peer requests dying if they fail the verify.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
Current Beta Squid 3.1.0.6
