aRE: [squid-users] Trying too use user_cert acl with SQUID 2.5 + SSL patch

Well, well well...
I FOUND IT !!

Here is the solution :
In fact, there is an error in the support_ssl.c source file : there is an
inversion of 2 functions inside the function sslGetUserattribute and
sslGetCAAttribute.

So, to make in work :
1 - open ssl_support.c
2 - Find the function sslGetUserAttribute
3 - In this function, replace the call to X509_get_issuer_name by the call
to X509_get_subject_name
4 - Find the function sslGetCAAttribute
5 - In this function, replace the call to X509_get_subject_name by the call
to X509_get_issuer_name function
6 - Compile Squid with SSL activated.

In your configuration file squid.conf, the format of filtering for a
certificate containing DN= CN=toto EA=toto@tata.fr should be the following :

acl aclname1 user_cert DN /emailAddress=toto@tata.fr/CN=toto : you do a
filtering on the complete DN

Another example if you filter only on the CN :
acl aclname2 user_cert CN toto

Regards,

Max

> -----Message d'origine-----
> De : Henrik Nordstrom [mailto:hno@squid-cache.org]
> Envoyé : samedi 4 septembre 2004 16:10
> À : Fauquet, Xavier
> Cc : 'Henrik Nordstrom'; 'squid-users@squid-cache.org'
> Objet : RE: [squid-users] Trying too use user_cert acl with
> SQUID 2.5 +
> SSL patch
>
>
> On Sat, 4 Sep 2004, Fauquet, Xavier wrote:
>
> >> http_access allow USER-ok
> >> http_access deny USER-ko
> >> http_access deny all
> >
> > I tried it and now everybody is denied.
>
> Suspected this. Your USER-ok is not matching the user.
>
> Regards
> Henrik
>
Received on Mon Sep 06 2004 - 05:55:27 MDT