This is a discussion on RE: [squid-users] user_cert ACL in accel mode - squid ; Henrik, > > Now I want users to authenticate to squid with their personal > > certificates, I think squid has support for this? > > Squid-3 or Squid-2.5 with SSL update patch have, but > unfortunately the support in ...
Henrik,
> > Now I want users to authenticate to squid with their personal
> > certificates, I think squid has support for this?
>
> Squid-3 or Squid-2.5 with SSL update patch have, but
> unfortunately the support in browsers is very limited unless
> you are running a reverse proxy/accelerator.
Yes, I'm running squid-3 in reverse proxy/accel mode. So should be fine.
> You need to set clientca to the certificate of the issuing CA
> you want to accept certificates from, and to use the
> certificate related acls.
Thats what I did, and can't get it work. I have self-signed CA and issued
many certs
for clients. This is how https_port looks like:
https_port 443 defaultsite=myserver:443 protocol=https
cert=/usr/local/squid/etc/proxy.crt
key=/usr/local/squid/etc/proxy.key sslflags=DELAYED_AUTH
clientca=/usr/local/squid/etc/ca.crt
All certs are in PEM format.
Get this error when starting squid:
[root@proxy etc]# /usr/local/squid/sbin/squid
FATAL: Failed to acquire SSL certificate '/usr/local/squid/etc/proxy..crt':
error:0906D06C:PEM routines:PEM_read_bio:no start line
Squid Cache (Version 3.0-PRE3): Terminated abnormally.
CPU Usage: 0.030 seconds = 0.020 user + 0.010 sys
Maximum Resident Size: 0 KB
Page faults with physical i/o: 592
Aborted
[root@proxy etc]#
I should note that when I remove clientca and use only http basic auth via
ldap it works pretty well. Any ideas?
Thanks,
David
