Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid3 mutual authentification with client certificate

    Scheduled Pinned Locked Moved pfSense Packages
    9 Posts 3 Posters 9.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      TheNetStriker
      last edited by

      I'am using squid3 as https reverse proxy. Behind the proxy I'am hosting a wcf rest webservice with mutual authentification, so the client needs to send a client certificate to authenticate on the webservice. When I connect directly to the server it works perfectly, but over the squid proxy the client certificate does not seam to reach the webserver. Is it possible to configure squid3 so that client certificates are passed to the webserver?

      1 Reply Last reply Reply Quote 0
      • marcellocM
        marcelloc
        last edited by

        You may need to install clients CA on pfsense and include it on config files(manual edit squid.inc)

        http://forums.freebsd.org/showthread.php?t=26708

        https_port 172.16.1.3:1234 accel defaultsite=10.200.210.25 cert=/etc/ssl/crt/server-cert.crt key=/etc/ssl/key/server-key.key sslflags=DONT_VERIFY_DOMAIN clientca=/etc/ssl/CA/cacert.pem cafile=/etc/ssl/CA/cacert.pem capath=/etc/ssl/CA/ sslcontext=id
        
        

        Treinamentos de Elite: http://sys-squad.com

        Help a community developer! ;D

        1 Reply Last reply Reply Quote 0
        • T
          TheNetStriker
          last edited by

          I've uploaded my CA certifiacte in crt (Base64) format to /etc/ssl/CA and modified my squid_reverse.inc file and added this line to the https_port line:
          sslflags=DONT_VERIFY_DOMAIN clientca=/etc/ssl/CA/cacert.crt cafile=/etc/ssl/CA/cacert.crt capath=/etc/ssl/CA/ sslcontext=id

          Then I saved my reverse proxy settings again and checked if the options appear in /usr/local/etc/squid/squid.conf and they did, but client authentification still does not work. I found the follwing error message in /var/squid/logs/cache.log:

          Error negotiating SSL connection on FD 16: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate (1/-1)
          

          Any other ideas on how to solve this problem?

          1 Reply Last reply Reply Quote 0
          • marcellocM
            marcelloc
            last edited by

            @TheNetStriker:

            Any other ideas on how to solve this problem?

            Not yet. what google says about this error? Did you tried with squid3-dev(squid 3.3.5) on a virtual machine for example?

            Treinamentos de Elite: http://sys-squad.com

            Help a community developer! ;D

            1 Reply Last reply Reply Quote 0
            • T
              TheNetStriker
              last edited by

              In this http://squid-web-proxy-cache.1019090.n4.nabble.com/icap-and-https-td3329449.html forum thread I found these config options:
              –--------
              always_direct allow all
              ssl_bump allow all

              the following two options are unsafe and not always necessary:

              sslproxy_cert_error allow all
              sslproxy_flags DONT_VERIFY_PEER

              But they also don't solve my problem. After adding these config options the request never reaches the backend webserver. I've also tried to replace my 3.1.20 squid with squid-dev 3.3.4, but with this version nothing worked (All request got a timeout) so I'am now back to 3.1.20.

              I think the problem might be that my webservice does not return his certificate until the client has himself authorized using the client certificate. Might this be the problem?

              1 Reply Last reply Reply Quote 0
              • marcellocM
                marcelloc
                last edited by

                Follow squid3-dev forum topic instructions to get it running. Sasl needs some libs that is not included on pfsense install.

                Treinamentos de Elite: http://sys-squad.com

                Help a community developer! ;D

                1 Reply Last reply Reply Quote 0
                • T
                  TheNetStriker
                  last edited by

                  I've installed the files from this thread: http://forum.pfsense.org/index.php?topic=62256.0

                  But squid still does not work. In the system log I found this entry:

                  php: /pkg_edit.php: The command '/usr/local/sbin/squid -k reconfigure -f /usr/local/etc/squid/squid.conf' returned exit code '1', the output was '2013/06/06 17:23:08| ERROR: Directive 'ignore_expect_100' is obsolete. squid: ERROR: No running copy'
                  
                  1 Reply Last reply Reply Quote 0
                  • T
                    TheNetStriker
                    last edited by

                    I've now tried some different configurations using squid 3.1 and found a configuration that is working. I've added these options to the https_port:
                    clientca=/usr/local/etc/squid/CA/cacert.pem cafile=/usr/local/etc/squid/CA/cacert.pem capath=/usr/local/etc/squid/CA

                    And this option to the cache_peer:
                    sslcert=/usr/local/etc/squid/Client.pem

                    With this configuration squid is authorizing the client certificate from the client application directly with the new options on https_port and then squid is authorizing the request on the webserver using the Client.pem configured in cache_peer. The only problem with this configuration is that now all https traffic needs a client certificate, but I only want to enable the client certificate on one cache_peer. Is this possible without adding a separate https port number?

                    1 Reply Last reply Reply Quote 0
                    • A
                      Alain A
                      last edited by

                      HEllo
                      I made a patch for reverse-proxy squid3-dev package to allow the peer authentification by certificate.
                      the patch add in the general menu a section to choose the CA autority and the CRL.

                      I didnt find way to call the regeneration of the crl after the crl was modified there are no hooks for that in crl manager

                      the work arround is to save again the reverse-proxy config or to make a php script for the crontab who call squid_regenerate_crl()

                      Regards

                      squid_reverse_inc_patch.txt
                      squid_reverse_general_xml_patch.txt

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.