On 25/02/11 06:32, Martin (Jake) Jacobson wrote:
Hi, I am trying to build a squid box that will proxy requests to two sites that require a PKI cert. The client doesn't have a cert so I want the squid box to take a request from the client and submit the certs it has to retrieve the resource. I was able to build squid 3.1.11 with ssl support and I have a very basic squid configuration to test. When I run squid -k parse I see that squid sees the certs 2011/02/24 17:23:19| Initializing cache_peer akocac SSL context 2011/02/24 17:23:19| Using certificate in /webroot/conf/squid/.ssl/server.crt 2011/02/24 17:23:19| Using private key in /webroot/conf/squid/.ssl/server.key 2011/02/24 17:23:19| NOTICE: Peer certificates are not verified for validity! 2011/02/24 17:23:19| Initializing cache_peer informationassurance SSL context 2011/02/24 17:23:19| Using certificate in /webroot/conf/squid/.ssl/server.crt 2011/02/24 17:23:19| Using private key in /webroot/conf/squid/.ssl/server.key 2011/02/24 17:23:19| NOTICE: Peer certificates are not verified for validity! BUT when I run squid -Nd1 I don't see any information about using the certs or private key!!!
Strange,. Check that you do not have another instance of Squid using another squid.conf sitting around somewhere.
When squid is running I have tried to 1. Configure my web browser to use the squid proxy and retrieve a resource but instead of the Squid certs being passed, I am requested to use my certs loaded in my browser.
The major browsers pass https:// requests to the proxy for handling quite differently to http://. They only open a CONNECT tunnel instead and do all of the SSL encryption inside it themselves.
2. Telneting to the box and do a GET request for the resouced telnet localhost 3128 Connected to linsrcheval2o. Escape character is '^]'. GET https://myProtectedSitel/pki/login/external_silent_autologin.jhtml HTTP/1.0 403 Forbidden
Well, to point out the obvious that is "Forbidden". The test itself if not forbidden by the ACLs somewhere should have used the squid cache_peer certs.
Find out which software and controls are blocking it and you will have a good way to test this setup.
Both cases seem to indicate that squid is not using the PKI cert/key it has. Here is my configuration file: cache_peer protectedSite1 parent 443 0 no-query ssl sslcert=/webroot/conf/squid/.ssl/server.crt sslkey=/webroot/conf/squid/.ssl/server.key sslcapath=/webroot/conf/squid/.ssl/ca/ sslversion=3 sslflags=DONT_VERIFY_PEER originserver proxy-only name=site1
cache_peer protectedSite2 sibling 443 0 no-query no-digest no-netdb-exchange ssl sslcert=/webroot/conf/squid/.ssl/server.crt sslkey=/webroot/conf/squid/.ssl/server.key sslcapath=/webroot/conf/squid/.ssl/ca/ sslversion=3 sslflags=DONT_VERIFY_PEER originserver proxy-only name=site2
Assuming the keys are all correct that looks right for encrypting the origin link from Squid.
Let me know if you need anything else and thanks for the help on this.
In order to get the browsers past their tendency for CONNECT you will have to setup an http_port with reverse-proxy settings and set the local DNS to point browsers at your Squid for that particular site.
Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.11 Beta testers wanted for 3.2.0.5
