On 18.09.2009, at 16:12, Amos Jeffries wrote:
Benjamin Indermühle wrote:
Hello
I am trying to setup a squid between my exchange server and the
outside world.
I am having troubles getting ntlm to work.
[internet]---<https>---[squid]---<https>---[exchange]
Squid's job would be to terminate the ssl connection and start a
new one the the ntlm server and pass the ntlm authorization through
to exchange.
The ssl connections squid -> exchange is getting terminated with
following error in squid
2009/09/18 09:05:38| fwdNegotiateSSL: Error negotiating SSL
connection on FD 18: error:00000000:lib(0):func(0):reason(0) (5/0/0)
2009/09/18 09:05:38| TCP connection to xchg07-dev-be.dev.domain.com
(10.1.3.20:443) failed
If I switch the connection Squid <-> exchange to http the
connection does not break. and ntlm auth works
Your SSL certificate may be being rejected by the Exchange server
then.
I doubt that.
ntlm breaks during the handshake and not when starting the connection.
the ssl connection is established.
plain auth also works which wouldn't if the exchange server wouldn't
accept the client cert ( an error would be displayed )
+ owa works
when i look at the tcp stream there is no break of negotiation from
the exchange, squid resends a client hello on a open ssl tunnel which
in turn causes exchange to terminate the connection.
I have tried all kinds of parameters in the configuration
With or without client certificate, nothing helped the connection
terminates every time.
I have also tried different version of Squid namely:
Squid Cache: Version 2.7 STABLE6
Squid Cache: Version 2.6 STABLE20
I am running Centos5 on the Server
I took a closer look at the ntlm handshake and made a tcpdump on
squid to see how and when the connection is terminated
>>>>>>>>>>>>> Page Request
Please authenticate with NTLM <<<<<<
>>>>>>>>>>>>> NTLM negotiate
NTLM challenge <<<<<<<<<<<<<<<<<<<
TCP Connection should not be terminated from here on
Squid resends Client Hello package
Exchange terminates connection.
Connection is reopened.
>>>>>>>>>>>> NTLM AUthentication
RESET <<<<<<<<<<<<<<<<<<<<<<
This is my squid config
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
extension_methods RPC_IN_DATA RPC_OUT_DATA
https_port 10.1.16.33:443 cert=/etc/squid/ssl/webmail-dev.crt key=/
etc/squid/ssl/webmail-dev.key cafile=/etc/squid/ssl/webmail-dev.crt
defaultsite=webmail-dev.domain.com
cache_peer 10.1.3.20 parent 443 0 no-query originserver login=PASS
ssl sslcert=/etc/squid/ssl/sextans-be.cert sslkey=/etc/squid/ssl/
sextans-be.key sslcafile=/etc/squid/ssl/someca-cax509.cert
# access control
acl all src 0.0.0.0/0.0.0.0
# basic URL based access restriction for DEV Exchange 2007
acl url_allow url_regex -i ^https://webmail-dev.domain.com/
http_access allow url_allow
http_access deny all
# extra access log file
access_log /var/log/squid/access.log
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
any help would be appreciated.
Best regards
Benjamin Indermühle
http://wiki.squid-cache.org/ConfigExamples/Reverse/ExchangeRpc
* You are missing a never_direct entry.
* Your certificate settings differ from those known to work with
Exchange.
* you are using a full URL regex to match a simple domain name. Use
dstdomain instead.
I have changed my squid configuration accordingly.
the problem persits.
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
# Define the required extension methods
extension_methods RPC_IN_DATA RPC_OUT_DATA
https_port 10.1.16.33:443 cert=/etc/squid/ssl/webmail-dev.crt.pem
defaultsite=webmail-dev.domain.com
cache_peer 10.1.3.20 parent 443 0 no-query originserver login=PASS ssl
sslcert=/etc/squid/ssl/sextans-be.pem name=exchangeServer
acl EXCH dstdomain webmail-dev.domain.com
acl all src 0.0.0.0/0.0.0.0
cache_peer_access exchangeServer allow EXCH
cache_peer_access exchangeServer deny all
never_direct allow EXCH
http_access allow EXCH
http_access deny all
miss_access allow EXCH
miss_access deny all
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
