[squid-users] Mutual authenticated SSL

Amos Jeffries squid3 at treenet.co.nz
Tue Feb 16 14:33:10 UTC 2016 

On 17/02/2016 3:11 a.m., lucas2 at dds.nl wrote:
> Hi List,
> 
> I am using Squid 3.1.23 as a reverse proxy. Client authentication to
> backend servers is mandatory. All backend servers use client certificate
> based authentication which I configure as follows:
> cache_peer (...) ssl sslcert=/etc/squid/client-certs/client-cert.pem (...)
> The .pem file is provided by the backend maintainers and they take care
> of the server side of the client authentication process. The .pem file
> also contains a private key.
> This works fine.
> 

Yes.  TLS requires each participant to have two keys. One public (in the
cert itself) and one private. Without both Squid cannot perform TLS.

In this configuration you happen to have both keys in the same .PEM
file. The private key should not be 'in the cert', just sitting next to
the cert in the same file.


> However now the maintainer of a backend server has supplied a server
> certificate that has the "client authentication eku enabled", which
> "should be sufficient for mutual authenticated SSL"
> 
> It shows like this:
> 
> # openssl x509 -in server.crt -noout -text
> (...)
>    x509v3 Extended Key Usage:
>        TLS Web Client Authentication, TLS Web Server Authentication,
> E-mail Protection
> (...)
> 
> When I use this certificate directly in my squid configuration I get an
> error when loading the config: "Failed to acquire SSL private key"

This new .PEM file is missing the private key which is paired with that
certificate.

The person who generated the two keys and initiated the cert-request
process should be able to supply you with the private key Squid needs to
use that cert.


> 
> Unfortunately my knowledge of SSL certificates is limited, and I do not
> know exactly which mode of operation the backend maintainer intends to
> use for mutual authentication. I can imagine, however, that it is
> undesirable to share the private key of a server certificate.
> 
> So my question is:
> - Is it possible, Squid reverse proxy, to use a certificate that has the
> "client authentication eku enabled" to achieve client authentication?

Yes. EKU just restricts the certificate to being used on HTTP ("Web")
connections. For example; you cannot install it into email software.
Outside that restriction it is essentially the same as the one you had
before.


> - How should this be configured?

Same as before if possible. With both cert and private key in the same .PEM.

If the private key is not allowed to be in the same .pem as the cert for
some reason, then you can configure Squid with a sslkey= parameter
pointing to a different .pem file with just the private key in it.
 Either way Squid needs both the cert and the private key to make use of it.

Amos

More information about the squid-users mailing list