Benjamin Indermühle wrote:
Hello
I am trying to setup a squid between my exchange server and the outside
world.
I am having troubles getting ntlm to work.
[internet]---<https>---[squid]---<https>---[exchange]
Squid's job would be to terminate the ssl connection and start a new one
the the ntlm server and pass the ntlm authorization through to exchange.
The ssl connections squid -> exchange is getting terminated with
following error in squid
2009/09/18 09:05:38| fwdNegotiateSSL: Error negotiating SSL connection
on FD 18: error:00000000:lib(0):func(0):reason(0) (5/0/0)
2009/09/18 09:05:38| TCP connection to xchg07-dev-be.dev.domain.com
(10.1.3.20:443) failed
If I switch the connection Squid <-> exchange to http the connection
does not break. and ntlm auth works
Your SSL certificate may be being rejected by the Exchange server then.
I have tried all kinds of parameters in the configuration
With or without client certificate, nothing helped the connection
terminates every time.
I have also tried different version of Squid namely:
Squid Cache: Version 2.7 STABLE6
Squid Cache: Version 2.6 STABLE20
I am running Centos5 on the Server
I took a closer look at the ntlm handshake and made a tcpdump on squid
to see how and when the connection is terminated
>>>>>>>>>>>>> Page Request
Please authenticate with NTLM <<<<<<
>>>>>>>>>>>>> NTLM negotiate
NTLM challenge <<<<<<<<<<<<<<<<<<<
TCP Connection should not be terminated from here on
Squid resends Client Hello package
Exchange terminates connection.
Connection is reopened.
>>>>>>>>>>>> NTLM AUthentication
RESET <<<<<<<<<<<<<<<<<<<<<<
This is my squid config
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
extension_methods RPC_IN_DATA RPC_OUT_DATA
https_port 10.1.16.33:443 cert=/etc/squid/ssl/webmail-dev.crt
key=/etc/squid/ssl/webmail-dev.key cafile=/etc/squid/ssl/webmail-dev.crt
defaultsite=webmail-dev.domain.com
cache_peer 10.1.3.20 parent 443 0 no-query originserver login=PASS ssl
sslcert=/etc/squid/ssl/sextans-be.cert
sslkey=/etc/squid/ssl/sextans-be.key
sslcafile=/etc/squid/ssl/someca-cax509.cert
# access control
acl all src 0.0.0.0/0.0.0.0
# basic URL based access restriction for DEV Exchange 2007
acl url_allow url_regex -i ^https://webmail-dev.domain.com/
http_access allow url_allow
http_access deny all
# extra access log file
access_log /var/log/squid/access.log
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
any help would be appreciated.
Best regards
Benjamin Indermühle
http://wiki.squid-cache.org/ConfigExamples/Reverse/ExchangeRpc
* You are missing a never_direct entry.
* Your certificate settings differ from those known to work with Exchange.
* you are using a full URL regex to match a simple domain name. Use
dstdomain instead.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19
Current Beta Squid 3.1.0.13
