Re: [squid-users] is squid in accelerator mode able to request client certificates for authentication?

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 13 Mar 2009 14:28:58 +1300

Reiner Menkens wrote:
> Hi,
>
> we are using squid (3.0) in accelerator mode using https:
> https_port 443 cert=/etc/squid/cert.pem key=/etc/squid/key.pem
> defaultsite=mail.domain.de
> cache_peer 10.1.1.1 parent 443 0 no-query originserver ssl
> sslflags=DONT_VERIFY_PEER name=mail.domain.de
> ...some acls...
> this is working fine.
>
> Now our customer wants to add a little bit security by authenticating
> the clients on the internet using client certificates. Is it possible to
> make squid request a client certificate (and if it is- how)? Or does the
> "real server" have to request the certificate? I didn't find something
> like that in the docs - if I missed that, please give me a hint where to
> find it.
>
> client (internet) -----> squid (DMZ) -----> real server
> client-cert? check if client
> cert is valid?
>

(My knowledge is low regarding the cert handshake, so take with salt).

I believe that is done by the clients themselves verifying Squids' cert.
Just make sure it is signed by a public authority the clients can trust.

Squid verifying the back-end peer cert is done by simply removing the
"sslflags=DONT_VERIFY_PEER" and ensuring the cert Squid uses is properly
signed by an authority the peer trusts.

Be careful the certs are all fine before removing that option, it will
result in peer requests dying if they fail the verify.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
   Current Beta Squid 3.1.0.6
Received on Fri Mar 13 2009 - 01:28:22 MDT

This archive was generated by hypermail 2.2.0 : Fri Mar 13 2009 - 12:00:03 MDT