Re: Cache Peer Redirection Based on User Certificate

[Eliezer Croitoru <eliezer@xxxxxxxxxxxx>]

OK just to make sure we are talking about the same issue:
try to read this file:
http://www1.ngtech.co.il/squid/ssl2.pcap

And tell me what do you mean..
packet number..
byte offset..

Thanks,
Eliezer

On 28/12/13 16:49, Waldemar Siebert wrote:
> Based on a string in client certficate (in my case CN field) I would
> like to route an https request to a dedicated webserver by using the
> cache_peer_access directive.
>
> E.g.: Client with certificate field CN a111 will be redirected to the
> parent P1
>
> Client with certificate field CN a222 will be redirected to the parent P2
>
> That works with acl type "src" but not with acl type user_cert
>
>
> Thanks
> Walt
>
>
>
>
> ----- Original Message ----- From: "Eliezer Croitoru"
> <eliezer@xxxxxxxxxxxx>
> To: <squid-users@xxxxxxxxxxxxxxx>
> Sent: Saturday, December 28, 2013 2:43 PM
> Subject: Re:  Cache Peer Redirection Based on User Certificate
>
>
> > I am still not sure what you are trying to achieve..
> >
> > From the docs at:
> > http://www.squid-cache.org/Doc/config/acl/
> >
> > acl aclname user_cert attribute values...
> >   # match against attributes in a user SSL certificate
> >   # attribute is one of DN/C/O/CN/L/ST [fast]
> >
> > It is only there for a basic inspection of the user SSL certificate...
> > the same goes for:
> > acl aclname ca_cert attribute values...
> >   # match against attributes a users issuing CA SSL certificate
> >   # attribute is one of DN/C/O/CN/L/ST [fast]
> >
> > It is there since 3.1 and the respective aspect on the client side is
> > on the side of the "client" which we are talking about "squid" in the
> > manner of making squid as a client and user while the "end user"
> > cannot send squid certificates for now.
> >
> > Squid is not a VPN system which allows specific clients access to a
> > specific level of the system since it's a very fast piece of software.
> > All these levels of SSL connection is not to be used inside of squid.
> >
> > I must say that I am not the SSL expert and if you need more
> > information on the matter it's pretty simple to ask about the whole
> > subject to understand it properly.(feel free to contact me or anyone
> > else)
> >
> > Regards,
> > Eliezer
> >
> > On 28/12/13 15:15, Waldemar Siebert wrote:
> > > Hello,
> > >
> > > what about acl user_cert?
> > >
> > > It works with http_access, but not with cache_peer_access. See Log
> > > bellow
> > > I use Squid 3.1.8
> > >
> > > Thanks
> > > Walt