Re: [squid-users] Problems with SSL Reverse Proxy and OpenCA Integration

From: H.Padukience <hp@dont-contact.us>
Date: Fri, 07 Apr 2006 15:08:35 +0200

hi all,

have no one any hint or idea ?!?

-> laurent . derrien / Henrik Nordstrom ....

kind regards, padu

Am Mittwoch, den 05.04.2006, 13:33 +0200 schrieb H.Padukience:
> Hi,
>
> we planed to use squid 3.0(-PRE3-20060221) as an SSL Reverse Proxy to
> Microsoft IIS with OpenCA Integration. our (test) system environment
> looks as follows:
>
> OS: SuSE Enterprise 9 SP3
> Squid-Version: 3.0-PRE3-20060221
> Squid-Options: --prefix=/usr/local/squid3 --enable-ssl
> Squid-Start-Options: /pathto/squid -sNd5Cf /pathto/etc/squid.conf
> SSL: openssl-0.9.7d-15.21
> Client-Browser: Microsoft Internet Explorer Version 5,6
>
> We only want to accept connections depending on client certificate
> validation (from OpenCA).
>
> Here are the main lines for CA-Integration in squid:
>
> --squid.conf--snip--
> https_port 443 cert=/pathto/server.cert key=/pathto/server.key version=1
> defaultsite=testserver clientca=/pathto/cacert.pem protocol=http
> --snap--
>
> After starting IE and select from POPUP-Window our installed client
> certificate (user-certificate), the connection stops with errors:
>
> --snip--
> 2006/04/05 14:51:08.035| clientNegotiateSSL: Error negotiating SSL
> connection on FD 11: Aborted by client
>
> 2006/04/05 14:51:13| clientNegotiateSSL: Error negotiating SSL
> connection on FD 11: error:140890C7:SSL
> routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
> (1/-1)
>
> 2006/04/05 14:52:47.747| clientNegotiateSSL: Error negotiating SSL
> connection on FD 11: Aborted by client
>
> 2006/04/05 14:52:54| SSL unknown certificate error 20
> in /C=DE/O=xxxx/OU=Internet/CN=padu/serialNumber=99
>
> 2006/04/05 14:52:54| clientNegotiateSSL: Error negotiating SSL
> connection on FD 11: error:140890B2:SSL
> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned (1/-1)
>
> 2006/04/05 14:52:54| SSL unknown certificate error 20
> in /C=DE/O=xxxx/OU=Internet/CN=padu/serialNumber=99
> --snap--
>
> Can you please give me a hint how to force (any) clients to authenticate
> with certificates?

-- 
Freundliche Gruesse aus Nuernberg,
Holger Padukience
mailto: hp@padu.de
mobil: +49 170 9969293
Received on Fri Apr 07 2006 - 07:08:58 MDT

This archive was generated by hypermail pre-2.1.9 : Mon May 01 2006 - 12:00:02 MDT