[squid-users] Mutual authenticated SSL
lucas2 at dds.nl
lucas2 at dds.nl
Tue Feb 16 14:11:42 UTC 2016
Hi List,
I am using Squid 3.1.23 as a reverse proxy. Client authentication to
backend servers is mandatory. All backend servers use client certificate
based authentication which I configure as follows:
cache_peer (...) ssl sslcert=/etc/squid/client-certs/client-cert.pem
(...)
The .pem file is provided by the backend maintainers and they take care
of the server side of the client authentication process. The .pem file
also contains a private key.
This works fine.
However now the maintainer of a backend server has supplied a server
certificate that has the "client authentication eku enabled", which
"should be sufficient for mutual authenticated SSL"
It shows like this:
# openssl x509 -in server.crt -noout -text
(...)
x509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication,
E-mail Protection
(...)
When I use this certificate directly in my squid configuration I get an
error when loading the config: "Failed to acquire SSL private key"
Unfortunately my knowledge of SSL certificates is limited, and I do not
know exactly which mode of operation the backend maintainer intends to
use for mutual authentication. I can imagine, however, that it is
undesirable to share the private key of a server certificate.
So my question is:
- Is it possible, Squid reverse proxy, to use a certificate that has the
"client authentication eku enabled" to achieve client authentication?
- How should this be configured?
Thanks,
Lucas
More information about the squid-users
mailing list