Hello list, I’m currently trying to wrap my head around the concept of using “acl name user_cert CN cn” on squid 3.5. What I would like to achieve is a setup where the client needs to pass a certificate and squid allows/denies access to the internet based on said certificate CN. So far I came up empty. My current config: acl ssl_authentication user_cert CN user.cn.com http_access allow all ssl_authentication http_port 443 ssl-bump \ cert=/etc/squid/myCA.pem \ generate-host-certificates=on dynamic_cert_mem_cache_size=4MB #this is what generates certs on the fly. Point to the CA you generated above. sslcrtd_program /usr/lib64/squid/ssl_crtd -s /tmp/squid/ssl_db -M 4MB sslcrtd_children 5 acl step1 at_step SslBump1 ssl_bump peek step1 ssl_bump bump all ssl_bump stare all always_direct allow all >From the client side I do: curl -E certificate.pem -k -x http://myproxy:443 https://www.google.de but I get the access denied page. Checking cache.log I see: matches: checking ssl_authentication = 0 clientAccessCheckDone: The request CONNECT www.google.de:443 is DENIED; last ACL checked: all So it’s clear the acl doesn’t match. What am I doing wrong here? How should I adjust the acl? PS: checking the certificate confirms the CN to be user.cn.com _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
