Squid3 mutual authentification with client certificate
-
I'am using squid3 as https reverse proxy. Behind the proxy I'am hosting a wcf rest webservice with mutual authentification, so the client needs to send a client certificate to authenticate on the webservice. When I connect directly to the server it works perfectly, but over the squid proxy the client certificate does not seam to reach the webserver. Is it possible to configure squid3 so that client certificates are passed to the webserver?
-
You may need to install clients CA on pfsense and include it on config files(manual edit squid.inc)
http://forums.freebsd.org/showthread.php?t=26708
https_port 172.16.1.3:1234 accel defaultsite=10.200.210.25 cert=/etc/ssl/crt/server-cert.crt key=/etc/ssl/key/server-key.key sslflags=DONT_VERIFY_DOMAIN clientca=/etc/ssl/CA/cacert.pem cafile=/etc/ssl/CA/cacert.pem capath=/etc/ssl/CA/ sslcontext=id -
I've uploaded my CA certifiacte in crt (Base64) format to /etc/ssl/CA and modified my squid_reverse.inc file and added this line to the https_port line:
sslflags=DONT_VERIFY_DOMAIN clientca=/etc/ssl/CA/cacert.crt cafile=/etc/ssl/CA/cacert.crt capath=/etc/ssl/CA/ sslcontext=idThen I saved my reverse proxy settings again and checked if the options appear in /usr/local/etc/squid/squid.conf and they did, but client authentification still does not work. I found the follwing error message in /var/squid/logs/cache.log:
Error negotiating SSL connection on FD 16: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate (1/-1)Any other ideas on how to solve this problem?
-
Any other ideas on how to solve this problem?
Not yet. what google says about this error? Did you tried with squid3-dev(squid 3.3.5) on a virtual machine for example?
-
In this http://squid-web-proxy-cache.1019090.n4.nabble.com/icap-and-https-td3329449.html forum thread I found these config options:
ā--------
always_direct allow all
ssl_bump allow allthe following two options are unsafe and not always necessary:
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEERBut they also don't solve my problem. After adding these config options the request never reaches the backend webserver. I've also tried to replace my 3.1.20 squid with squid-dev 3.3.4, but with this version nothing worked (All request got a timeout) so I'am now back to 3.1.20.
I think the problem might be that my webservice does not return his certificate until the client has himself authorized using the client certificate. Might this be the problem?
-
Follow squid3-dev forum topic instructions to get it running. Sasl needs some libs that is not included on pfsense install.
-
I've installed the files from this thread: http://forum.pfsense.org/index.php?topic=62256.0
But squid still does not work. In the system log I found this entry:
php: /pkg_edit.php: The command '/usr/local/sbin/squid -k reconfigure -f /usr/local/etc/squid/squid.conf' returned exit code '1', the output was '2013/06/06 17:23:08| ERROR: Directive 'ignore_expect_100' is obsolete. squid: ERROR: No running copy' -
I've now tried some different configurations using squid 3.1 and found a configuration that is working. I've added these options to the https_port:
clientca=/usr/local/etc/squid/CA/cacert.pem cafile=/usr/local/etc/squid/CA/cacert.pem capath=/usr/local/etc/squid/CAAnd this option to the cache_peer:
sslcert=/usr/local/etc/squid/Client.pemWith this configuration squid is authorizing the client certificate from the client application directly with the new options on https_port and then squid is authorizing the request on the webserver using the Client.pem configured in cache_peer. The only problem with this configuration is that now all https traffic needs a client certificate, but I only want to enable the client certificate on one cache_peer. Is this possible without adding a separate https port number?
-
HEllo
I made a patch for reverse-proxy squid3-dev package to allow the peer authentification by certificate.
the patch add in the general menu a section to choose the CA autority and the CRL.I didnt find way to call the regeneration of the crl after the crl was modified there are no hooks for that in crl manager
the work arround is to save again the reverse-proxy config or to make a php script for the crontab who call squid_regenerate_crl()
Regards
squid_reverse_inc_patch.txt
squid_reverse_general_xml_patch.txt
