Search squid archive

Re: Client certificate authentication problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 4/22/21 5:24 AM, Neven Vrenko wrote:
> Hello community,
> 
> I have a problem which I'm coping with for some time now.
> I would like to use client certificate authentication with http_port
> command.
> 
> As far as I understand the parameter "clientca" should be enough to
> request the browser to send/offer client certificate.
> 
> In my case this line is fairly simple and looks like this:
> 
>> http_port 443 clientca=/path/to/the/CA.pem

Today, client certificate authentication only works with TLS. That
implies that you need https_port instead of http_port (and your client
should use TLS to connect to the Squid proxy on that port!).


> However the "clientca" parameter seems to be ignored. Even when I put
> some non existing path as "clientca" value, Squid starts normally
> without error.

That is, IMO, a Squid configuration validation bug. Squid should quit
with a fatal configuration error instead.


HTH,

Alex.


> Squid version which I'm using is 5.0.5 and output of squid -v can be
> found below:
> 
> Squid Cache: Version 5.0.5
> Service Name: squid
> 
> This binary uses OpenSSL 1.0.2k-fips  26 Jan 2017. For legal
> restrictions on distribution see
> https://www.openssl.org/source/license.html
> <https://www.openssl.org/source/license.html>
> 
> configure options:  '--prefix=/usr' '--bindir=/usr/bin'
> '--sbindir=/usr/sbin' '--sysconfdir=/etc/squid' '--datadir=/usr/share'
> '--includedir=/usr/include' '--libexecdir=/usr/lib/squid'
> '--sharedstatedir=/var/lib' '--mandir=/usr/share/man'
> '--infodir=/usr/share/info' '--localstatedir=/var'
> '--disable-dependency-tracking' '--disable-arch-native'
> '--enable-ltdl-install' '--enable-storeio=aufs,diskd,ufs,rock'
> '--enable-removal-policies=heap,lru' '--enable-icmp'
> '--enable-delay-pools' '--enable-esi' '--enable-icap-client'
> '--enable-cachemgr-hostname=localhost' '--enable-follow-x-forwarded-for'
> '--enable-forw-via-db' '--enable-cache-digests'
> '--enable-linux-netfilter' '--enable-auth'
> '--enable-auth-basic=DB,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam,fake'
> '--enable-auth-digest=file,LDAP,eDirectory'
> '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake'
> '--with-logdir=/var/log/squid' '--enable-log-daemon-helpers=DB,file'
> '--enable-external-acl-helpers=wbinfo_group,kerberos_ldap_group,LDAP_group,delayer,file_userip,SQL_session,unix_group,session,time_quota'
> '--enable-url-rewrite-helpers=fake,LFS'
> '--enable-security-cert-validators' '--enable-security-cert-generators'
> _'--with-openssl'_ '--enable-ssl-crtd' '--enable-snmp'
> '--enable-stacktraces' '--enable-gnuregex'
> '--with-pidfile=/var/run/squid.pid' '--with-default-user=squid'
> '--with-aio' '--with-dl' '--with-pthreads'
> '--with-filedescriptors=16384' '--enable-wccpv2' '--enable-epoll'
> 
> I tried to put user_cert acl in hope that this would trigger certificate
> request, but it didn't happen.
> 
>> acl cert_authentication user_cert CN MY_CN
>> http_access allow cert_authentication
> 
> If somebody could point me in the right direction I would be very thankful.
> 
> Regards,
> Neven
> 
> P.S
> SELinux is disabled and CA certificate is in PEM format
> 
> _______________________________________________
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx
> http://lists.squid-cache.org/listinfo/squid-users
> 

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux