Hello Alex,
thank you for your answer. I was little bit puzzled since I haven't got any error when using "clientca" with "http_port". I thought, maybe it was somehow possible, beyond my understanding. :)
The reason why I didn't respond immediately, because I wanted to test everything with the "https_port" configuration.
Now my configuration looks like this:
> https_port 443 tls-cert=/etc/squid/certs/new-squid.cert tls-key=/etc/squid/certs/new-squid.key clientca=/etc/squid/certs/autn.pem capath=/etc/squid/certs/CAs sslcontext=id
This works...
What I'm trying to do is access control with *user_cert* ACL based on CN information.
My ACL configuration is super minimal:
> acl ssl_auth user_cert CN "/etc/squid/allowed.cn"
> http_access allow ssl_auth
> http_access allow ssl_auth
>
> http_access deny all
File "/etc/squid/allowed.cn" contains one row/entry: "Doe John PKI 1234567890" (without quotes)
However this doesn't work.
From the cache.log, it is visible that client certificate information is fetched:
> clientNegotiateSSL: New session 0x11415a0 on FD 12 (10.x.x.x:60308)
> retrieveNegotiatedInfo: SSL connection info on FD 12 SSL version TLS/1.2 negotiated cipher AES128-GCM-SHA256
> clientNegotiateSSL: FD 12 client certificate: subject: /DC=tst/CN=Doe John PKI 1234567890
> clientNegotiateSSL: FD 12 client certificate: issuer: /DC=com/DC=tst/DC=PKI/CN=CA-AUTH-01
> Server.cc(90) readSomeData: conn7 local=10.x.x.x:443 remote=10.x.x.x:60308 FD 12 flags=1: reading request...
> retrieveNegotiatedInfo: SSL connection info on FD 12 SSL version TLS/1.2 negotiated cipher AES128-GCM-SHA256
> clientNegotiateSSL: FD 12 client certificate: subject: /DC=tst/CN=Doe John PKI 1234567890
> clientNegotiateSSL: FD 12 client certificate: issuer: /DC=com/DC=tst/DC=PKI/CN=CA-AUTH-01
> Server.cc(90) readSomeData: conn7 local=10.x.x.x:443 remote=10.x.x.x:60308 FD 12 flags=1: reading request...
From the cache.log is as well visible that ssl_auth ACL is checked, but there is NO MATCH:
> Acl.cc(124) matches: checking http_access
> Checklist.cc(398) bannedAction: Action 'ALLOWED/0' is not banned
> Acl.cc(124) matches: checking http_access#1
> Acl.cc(124) matches: checking ssl_auth < --- Access list
>
> CertificateData.cc(68) match: CN=Doe John PKI 1234567890 < --- Client certificate CN
>
> MemBlob.cc(56) MemBlob: constructed, this=0x14dccc0 id=blob1388 reserveSize=35
> MemBlob.cc(101) memAlloc: blob1388 memAlloc: requested=35, received=40
> SBuf.cc(866) reAlloc: SBuf5096 new store capacity: 40
> StringData.cc(33) match: aclMatchStringList: checking 'Doe John PKI 1234567890'
>
> StringData.cc(36) match: aclMatchStringList: 'Doe John PKI 1234567890' NOT found < --- doesn't match
>
> Acl.cc(151) matches: checked: ssl_auth = 0
> Acl.cc(151) matches: checked: http_access#1 = 0
> Checklist.cc(398) bannedAction: Action 'ALLOWED/0' is not banned
> Acl.cc(124) matches: checking http_access#1
> Acl.cc(124) matches: checking ssl_auth < --- Access list
>
> CertificateData.cc(68) match: CN=Doe John PKI 1234567890 < --- Client certificate CN
>
> MemBlob.cc(56) MemBlob: constructed, this=0x14dccc0 id=blob1388 reserveSize=35
> MemBlob.cc(101) memAlloc: blob1388 memAlloc: requested=35, received=40
> SBuf.cc(866) reAlloc: SBuf5096 new store capacity: 40
> StringData.cc(33) match: aclMatchStringList: checking 'Doe John PKI 1234567890'
>
> StringData.cc(36) match: aclMatchStringList: 'Doe John PKI 1234567890' NOT found < --- doesn't match
>
> Acl.cc(151) matches: checked: ssl_auth = 0
> Acl.cc(151) matches: checked: http_access#1 = 0
I'm really not sure what I have missed...
I tried to put CN directly in the ACL, so with no reference to thefile.
I tried to put single and double quotes around CN in allowed.cn file, as well.
Could you please help me further? What am I doing wrong here?
Thank you and regards,
Neven
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
