Hi,
we planed to use squid 3.0(-PRE3-20060221) as an SSL Reverse Proxy to
Microsoft IIS with OpenCA Integration. our (test) system environment
looks as follows:
OS: SuSE Enterprise 9 SP3
Squid-Version: 3.0-PRE3-20060221
Squid-Options: --prefix=/usr/local/squid3 --enable-ssl
Squid-Start-Options: /pathto/squid -sNd5Cf /pathto/etc/squid.conf
SSL: openssl-0.9.7d-15.21
Client-Browser: Microsoft Internet Explorer Version 5,6
We only want to accept connections depending on client certificate
validation (from OpenCA).
Here are the main lines for CA-Integration in squid:
--squid.conf--snip--
https_port 443 cert=/pathto/server.cert key=/pathto/server.key version=1
defaultsite=testserver clientca=/pathto/cacert.pem protocol=http
--snap--
After starting IE and select from POPUP-Window our installed client
certificate (user-certificate), the connection stops with errors:
--snip--
2006/04/05 14:51:08.035| clientNegotiateSSL: Error negotiating SSL
connection on FD 11: Aborted by client
2006/04/05 14:51:13| clientNegotiateSSL: Error negotiating SSL
connection on FD 11: error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
(1/-1)
2006/04/05 14:52:47.747| clientNegotiateSSL: Error negotiating SSL
connection on FD 11: Aborted by client
2006/04/05 14:52:54| SSL unknown certificate error 20
in /C=DE/O=xxxx/OU=Internet/CN=padu/serialNumber=99
2006/04/05 14:52:54| clientNegotiateSSL: Error negotiating SSL
connection on FD 11: error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned (1/-1)
2006/04/05 14:52:54| SSL unknown certificate error 20
in /C=DE/O=xxxx/OU=Internet/CN=padu/serialNumber=99
--snap--
Can you please give me a hint how to force (any) clients to authenticate
with certificates?
-- Kind Regards from Nuernberg, Holger Padukience mailto: hp@padu.de mobil: +49 170 9969293Received on Wed Apr 05 2006 - 05:33:54 MDT
This archive was generated by hypermail pre-2.1.9 : Mon May 01 2006 - 12:00:02 MDT