[squid-users] Need help configuring squid 3.1.11 to pass Certs

From: Martin \(Jake\) Jacobson <jakecjacobson_at_gmail.com>
Date: Thu, 24 Feb 2011 12:32:18 -0500

Hi,

I am trying to build a squid box that will proxy requests to two sites
that require a PKI cert. The client doesn't have a cert so I want the
squid box to take a request from the client and submit the certs it
has to retrieve the resource.

I was able to build squid 3.1.11 with ssl support and I have a very
basic squid configuration to test. When I run squid -k parse I see
that squid sees the certs

2011/02/24 17:23:19| Initializing cache_peer akocac SSL context
2011/02/24 17:23:19| Using certificate in /webroot/conf/squid/.ssl/server.crt
2011/02/24 17:23:19| Using private key in /webroot/conf/squid/.ssl/server.key
2011/02/24 17:23:19| NOTICE: Peer certificates are not verified for validity!
2011/02/24 17:23:19| Initializing cache_peer informationassurance SSL context
2011/02/24 17:23:19| Using certificate in /webroot/conf/squid/.ssl/server.crt
2011/02/24 17:23:19| Using private key in /webroot/conf/squid/.ssl/server.key
2011/02/24 17:23:19| NOTICE: Peer certificates are not verified for validity!

BUT when I run squid -Nd1 I don't see any information about using the
certs or private key!!!

When squid is running I have tried to

1. Configure my web browser to use the squid proxy and retrieve a
resource but instead of the Squid certs being passed, I am requested
to use my certs loaded in my browser.

2. Telneting to the box and do a GET request for the resouced
  telnet localhost 3128
  Connected to linsrcheval2o.
  Escape character is '^]'.
  GET https://myProtectedSitel/pki/login/external_silent_autologin.jhtml
  HTTP/1.0 403 Forbidden

Both cases seem to indicate that squid is not using the PKI cert/key
it has. Here is my configuration file:

cache_peer protectedSite1 parent 443 0 no-query ssl
sslcert=/webroot/conf/squid/.ssl/server.crt
sslkey=/webroot/conf/squid/.ssl/server.key
sslcapath=/webroot/conf/squid/.ssl/ca/ sslversion=3
sslflags=DONT_VERIFY_PEER originserver proxy-only name=site1
cache_peer protectedSite2 sibling 443 0 no-query no-digest
no-netdb-exchange ssl sslcert=/webroot/conf/squid/.ssl/server.crt
sslkey=/webroot/conf/squid/.ssl/server.key
sslcapath=/webroot/conf/squid/.ssl/ca/ sslversion=3
sslflags=DONT_VERIFY_PEER originserver proxy-only name=site2

Let me know if you need anything else and thanks for the help on this.

Jake Jacobson

http://www.google.com/profiles/jakecjacobson

Our greatest fear should not be of failure,
but of succeeding at something that doesn't really matter.
   -- ANONYMOUS
Received on Thu Feb 24 2011 - 17:32:39 MST

This archive was generated by hypermail 2.2.0 : Fri Feb 25 2011 - 12:00:03 MST