Squid3 mutual authentification with client certificate



  • I'am using squid3 as https reverse proxy. Behind the proxy I'am hosting a wcf rest webservice with mutual authentification, so the client needs to send a client certificate to authenticate on the webservice. When I connect directly to the server it works perfectly, but over the squid proxy the client certificate does not seam to reach the webserver. Is it possible to configure squid3 so that client certificates are passed to the webserver?



  • You may need to install clients CA on pfsense and include it on config files(manual edit squid.inc)

    http://forums.freebsd.org/showthread.php?t=26708

    https_port 172.16.1.3:1234 accel defaultsite=10.200.210.25 cert=/etc/ssl/crt/server-cert.crt key=/etc/ssl/key/server-key.key sslflags=DONT_VERIFY_DOMAIN clientca=/etc/ssl/CA/cacert.pem cafile=/etc/ssl/CA/cacert.pem capath=/etc/ssl/CA/ sslcontext=id
    
    


  • I've uploaded my CA certifiacte in crt (Base64) format to /etc/ssl/CA and modified my squid_reverse.inc file and added this line to the https_port line:
    sslflags=DONT_VERIFY_DOMAIN clientca=/etc/ssl/CA/cacert.crt cafile=/etc/ssl/CA/cacert.crt capath=/etc/ssl/CA/ sslcontext=id

    Then I saved my reverse proxy settings again and checked if the options appear in /usr/local/etc/squid/squid.conf and they did, but client authentification still does not work. I found the follwing error message in /var/squid/logs/cache.log:

    Error negotiating SSL connection on FD 16: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate (1/-1)
    

    Any other ideas on how to solve this problem?



  • @TheNetStriker:

    Any other ideas on how to solve this problem?

    Not yet. what google says about this error? Did you tried with squid3-dev(squid 3.3.5) on a virtual machine for example?



  • In this http://squid-web-proxy-cache.1019090.n4.nabble.com/icap-and-https-td3329449.html forum thread I found these config options:
    ā€“--------
    always_direct allow all
    ssl_bump allow all

    the following two options are unsafe and not always necessary:

    sslproxy_cert_error allow all
    sslproxy_flags DONT_VERIFY_PEER

    But they also don't solve my problem. After adding these config options the request never reaches the backend webserver. I've also tried to replace my 3.1.20 squid with squid-dev 3.3.4, but with this version nothing worked (All request got a timeout) so I'am now back to 3.1.20.

    I think the problem might be that my webservice does not return his certificate until the client has himself authorized using the client certificate. Might this be the problem?



  • Follow squid3-dev forum topic instructions to get it running. Sasl needs some libs that is not included on pfsense install.



  • I've installed the files from this thread: http://forum.pfsense.org/index.php?topic=62256.0

    But squid still does not work. In the system log I found this entry:

    php: /pkg_edit.php: The command '/usr/local/sbin/squid -k reconfigure -f /usr/local/etc/squid/squid.conf' returned exit code '1', the output was '2013/06/06 17:23:08| ERROR: Directive 'ignore_expect_100' is obsolete. squid: ERROR: No running copy'
    


  • I've now tried some different configurations using squid 3.1 and found a configuration that is working. I've added these options to the https_port:
    clientca=/usr/local/etc/squid/CA/cacert.pem cafile=/usr/local/etc/squid/CA/cacert.pem capath=/usr/local/etc/squid/CA

    And this option to the cache_peer:
    sslcert=/usr/local/etc/squid/Client.pem

    With this configuration squid is authorizing the client certificate from the client application directly with the new options on https_port and then squid is authorizing the request on the webserver using the Client.pem configured in cache_peer. The only problem with this configuration is that now all https traffic needs a client certificate, but I only want to enable the client certificate on one cache_peer. Is this possible without adding a separate https port number?



  • HEllo
    I made a patch for reverse-proxy squid3-dev package to allow the peer authentification by certificate.
    the patch add in the general menu a section to choose the CA autority and the CRL.

    I didnt find way to call the regeneration of the crl after the crl was modified there are no hooks for that in crl manager

    the work arround is to save again the reverse-proxy config or to make a php script for the crontab who call squid_regenerate_crl()

    Regards

    squid_reverse_inc_patch.txt
    squid_reverse_general_xml_patch.txt


Log in to reply