Erwan Le Du wrote:
Hi,
I'm using "squid" as a reverse proxy to allow the users to connect to
exchange 2007 from the outside. All is ok(OWA and RPC overs https) but
I would like to know if we can secure the connections with a
certificate. I would like that the users must have inevitably the
certificate to connect to the Outlook web access. For the moment if I
have not the certificate I have a warning from the internet browser
(because it 's a self signed certificate ) but I can continue and
finally "catch" the owa interface" ... With apache I can use
SSLVerifyClient but I don't know if it's possible with squid as a
reverse proxy. Otherwise I can enable the option "client certificate
require" in the ssl settings for the folder "owa" in IIS 7 but I would
like to connect to outlook web access from the internal network
without certificate.
Sure you can. These three things can be done to strengthen the
certificate security chain:
* Remove the "sslflags=DONT_VERIFY_PEER" and Squid will check that the
certificate provided by OWA is valid and trustworthy. Rejecting
connections to the peer if not.
* Setting a client certificate which OWA trusts into the squid
cache_peer line. Will strengthen the link between Squid and OWA and
permit OWA to check that it is Squid doing the contact.
(NP: says nothing about clients using Squid though, only the
particular Squid->OWA link)
* Having the certificate presented by https_port signed properly by a
CA which the clients trust. Will resolve that self-signed warning.
OR
* Having the certificate presented by https_port signed properly by a
CA which the clients trust. Will resolve that self-signed warning.
* Specifying clientca= option on https_port can set the list of
trusted CA used to verify the visiting clients' certificate.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.7
Beta testers wanted for 3.2.0.1
