[squid-users] Fwd: Squid authentication on the origin server during SslBumping
piphonom at gmail.com
Mon Dec 28 14:34:51 UTC 2015
Sorry if my question is repeated, but I didn't find any answer.
We have the remote web server where only authenticated users have
access to it. Authentication is made by X509 certificates.
I want that authentication to remote web server will be transparent
for our local network users. For this I'm trying to setup Squid in
transparent mode with SSL bumping.
Is it possible to setup Squid to authenticate himself on the remote
origin by X509 certificate?
I try to setup Squid 3.5.12 to make SSL bumping and authenticate
himself on the origin by the X509 certificate. But unsuccessfull.
There is part of my test config for ssl bumping:
https_port 3131 intercept ssl-bump generate-host-certificates=on
ssl_bump peek all
ssl_bump bump all
sslcrtd_program /usr/lib/squid/ssl_crtd -s /home/user/squiddata/ssl_db
sslproxy_client_certificate /home/user/squiddata/client.crt #
certificate to authenticate server on the Origin. Is it right?
# apropreate key
# CAs bundle
acl SSLERR ssl_error X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
sslproxy_cert_error allow SSLERR
sslproxy_cert_error deny all
But I get the following error:
Error negotiating SSL on FD 12: error:1407743E:SSL
routines:SSL23_GET_SERVER_HELLO:tlsv1 alert inappropriate fallback
1450974176.611 45 192.168.1.114 TAG_NONE/200 0 CONNECT <remote
ip>:443 - ORIGINAL_DST/<remote ip> -
Error negotiating SSL connection on FD 10: error:140A1175:SSL
routines:SSL_BYTES_TO_CIPHER_LIST:inappropriate fallback (1/-1)
Seems remote server can't authenticate Squid.
SSL bumping with only remote server verification works well.
Thanks for advance.
More information about the squid-users