Re: [squid-users] Reverse proxy: http to https and certificate authentication

From: Matus UHLAR - fantomas <uhlar_at_fantomas.sk>
Date: Tue, 3 Feb 2009 17:20:49 +0100

> > > > >>>>> I have a soap client using python ZSI, the other end is oracle soa
> > > > >>>>> 10.1.3.1.0 all works fine since some months. The last week oracle soa
> > > > >>>>> was configured to accept client certificate authentication over https.
> > > > >>>>> If I try to use the standard python httplib.HTTPSConnection library it
> > > > >>>>> fails with the infamous "bad record mac" error and so also ZSI that use
> > > > >>>>> httplib. Other java tools such as soapui works just fine with oracle
> > > > >>>>> soa.
> > > > >>>>>
> > > > >>>>> Can squid do the hard work for me in the following configuration?
> > > > >>>>>
> > > > >>>>> ZSI soap client -> squid proxy over http -> oracle soa https
> > > > >>>>>
> > > > >>>>> however squid could be authenticate to oracle soa loading the cert file
> > > > >>>>> and the cert key from a local file.
> > > > >>>>>
> > > > >>>>> So I would like to send my soap request to squid over http and squid
> > > > >>>>> could connect to oracle soa over https presenting its own client
> > > > >>>>> certificate (not send from my application but load from local file).
> > > > >>>>>
> > > > >>>>> Is this configuration possible?

[...]

> > With oracle soa I have the following error:
> >
> > fwdNegotiateSSL: Error negotiating SSL connection on FD 15:
> > error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac
> > (1/0/0)

On 03.02.09 12:21, Mailing List SVR wrote:
> Solved, I have to force squid to use ssl version 2 only and now works
> fine,

SSL2 is unsecure. Did you tru forcing tls1 or ssl3?

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I wonder how much deeper the ocean would be without sponges. 
Received on Tue Feb 03 2009 - 16:20:55 MST

This archive was generated by hypermail 2.2.0 : Wed Feb 04 2009 - 12:00:01 MST