Hi,
I am trying to build a squid box that will proxy requests to two sites
that require a PKI cert. The client doesn't have a cert so I want the
squid box to take a request from the client and submit the certs it
has to retrieve the resource.
I was able to build squid 3.1.11 with ssl support and I have a very
basic squid configuration to test. When I run squid -k parse I see
that squid sees the certs
2011/02/24 17:23:19| Initializing cache_peer akocac SSL context
2011/02/24 17:23:19| Using certificate in /webroot/conf/squid/.ssl/server.crt
2011/02/24 17:23:19| Using private key in /webroot/conf/squid/.ssl/server.key
2011/02/24 17:23:19| NOTICE: Peer certificates are not verified for validity!
2011/02/24 17:23:19| Initializing cache_peer informationassurance SSL context
2011/02/24 17:23:19| Using certificate in /webroot/conf/squid/.ssl/server.crt
2011/02/24 17:23:19| Using private key in /webroot/conf/squid/.ssl/server.key
2011/02/24 17:23:19| NOTICE: Peer certificates are not verified for validity!
BUT when I run squid -Nd1 I don't see any information about using the
certs or private key!!!
When squid is running I have tried to
1. Configure my web browser to use the squid proxy and retrieve a
resource but instead of the Squid certs being passed, I am requested
to use my certs loaded in my browser.
2. Telneting to the box and do a GET request for the resouced
telnet localhost 3128
Connected to linsrcheval2o.
Escape character is '^]'.
GET https://myProtectedSitel/pki/login/external_silent_autologin.jhtml
HTTP/1.0 403 Forbidden
Both cases seem to indicate that squid is not using the PKI cert/key
it has. Here is my configuration file:
cache_peer protectedSite1 parent 443 0 no-query ssl
sslcert=/webroot/conf/squid/.ssl/server.crt
sslkey=/webroot/conf/squid/.ssl/server.key
sslcapath=/webroot/conf/squid/.ssl/ca/ sslversion=3
sslflags=DONT_VERIFY_PEER originserver proxy-only name=site1
cache_peer protectedSite2 sibling 443 0 no-query no-digest
no-netdb-exchange ssl sslcert=/webroot/conf/squid/.ssl/server.crt
sslkey=/webroot/conf/squid/.ssl/server.key
sslcapath=/webroot/conf/squid/.ssl/ca/ sslversion=3
sslflags=DONT_VERIFY_PEER originserver proxy-only name=site2
Let me know if you need anything else and thanks for the help on this.
Jake Jacobson
http://www.google.com/profiles/jakecjacobson
Our greatest fear should not be of failure,
but of succeeding at something that doesn't really matter.
-- ANONYMOUS
Received on Thu Feb 24 2011 - 17:32:39 MST
This archive was generated by hypermail 2.2.0 : Fri Feb 25 2011 - 12:00:03 MST