Le Lundi 22 Mars 2010 23:30:27, Amos Jeffries a écrit : > Luis Daniel Lucio Quiroz wrote: > > Le Lundi 22 Mars 2010 21:47:05, Guido Marino Lorenzutti a écrit : > >> Hi people: Im trying to give my clients access to my non ssl > >> webservers thru my reverse proxies adding ssl support on them. > >> > >> Like the subject tries to explain: > >> > >> WAN CLIENTS --- SSL SQUID (443) --- NON SSL webserver (80). > >> > >> This is the relevant part of the squid.conf: > >> > >> https_port 22.22.22.22:443 cert=/etc/squid/crazycert.domain.com.crt > >> key=/etc/squid/crazycert.domain.com.key > >> defaultsite=crazycert.domain.com vhost > >> sslflags=VERIFY_CRL_ALL,VERIFY_CRL cafile=/etc/squid/ca.crt > >> clientca=/etc/squid/ca.crt > > "cafile=" option overrides the "clientca=" option and contains a single > CA to be checked. > > Set clientca= to the file containing the officially accepted global CA > certificates. The type used for multiple certificates is a .PEM file if > I understand it correctly. > > If you have issued the clients with certificates signed by your own > custom CA, then add that to the list as well. > > I will assume that you know how to do that since you are requiring it. > > >> cache_peer crazycert.domain.com parent 80 0 no-query proxy-only > >> originserver login=PASS > >> > >> Im using a self signed certificate and the squid should not allow the > >> connection if the client does not have a valid key. > >> > >> When I try to connect I get this error: > >> > >> 2010/03/23 00:39:47| SSL unknown certificate error 3 in > >> /C=AR/ST=Buenos Aires/L=Ciudad Aut\xF3noma de Buenos Aires/O=Consejo > >> de la Magistratura de la C.A.B.A./OU=Direcci\xF3n de Inform\xE1tica y > >> Tecnolog\xEDa/CN=Guido Marino > >> Lorenzutti/emailAddress=glorenzutti@xxxxxxxxxxxxxxxx > >> > >> 2010/03/23 00:39:47| clientNegotiateSSL: Error negotiating SSL > >> connection on FD 12: error:140890B2:SSL > >> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned (1/-1) > >> > >> Any ideas? > >> I don't think the problem is in the certificates, coz im using them on > >> an apache working like reverse proxy. But I would prefer having squid > >> for everything. > >> > >> Tnxs in advance. > > > > You cant > > look for apache fake-ssl mod to do that > > @Luis: What do you mean? > > For reverse proxy environments it is possible and easily done AFAIK. > > Amos OH, I did try that scenario once ago and I couldnt
