[squid-users] Client certificate authentication problem

Neven Vrenko neven.vrenko at gmail.com
Fri Apr 30 08:40:50 UTC 2021

Hello Alex,

thank you for your answer. I was little bit puzzled since I haven't got any
error when using "clientca" with "http_port". I thought, maybe it was
somehow possible, beyond my understanding. :)

The reason why I didn't respond immediately, because I wanted to test
everything with the "https_port" configuration.

Now my configuration looks like this:

> https_port 443 tls-cert=/etc/squid/certs/new-squid.cert
tls-key=/etc/squid/certs/new-squid.key clientca=/etc/squid/certs/autn.pem
capath=/etc/squid/certs/CAs sslcontext=id

This works...

What I'm trying to do is access control with *user_cert* ACL based on CN

My ACL configuration is super minimal:

> acl ssl_auth user_cert CN "/etc/squid/allowed.cn"
> http_access allow ssl_auth
> http_access deny all

File "/etc/squid/allowed.cn" contains one row/entry: "Doe John PKI
1234567890" (without quotes)

However this doesn't work.

>From the cache.log, it is visible that client certificate information is

> clientNegotiateSSL: New session 0x11415a0 on FD 12 (10.x.x.x:60308)
> retrieveNegotiatedInfo: SSL connection info on FD 12 SSL version TLS/1.2
negotiated cipher AES128-GCM-SHA256
> clientNegotiateSSL: FD 12 client certificate: subject: /DC=tst/CN=Doe
John PKI 1234567890
> clientNegotiateSSL: FD 12 client certificate: issuer:
> Server.cc(90) readSomeData: conn7 local=10.x.x.x:443
remote=10.x.x.x:60308 FD 12 flags=1: reading request...

>From the cache.log is as well visible that ssl_auth ACL is checked, but
there is NO MATCH:

> Acl.cc(124) matches: checking http_access
> Checklist.cc(398) bannedAction: Action 'ALLOWED/0' is not banned
> Acl.cc(124) matches: checking http_access#1
> Acl.cc(124) matches: checking ssl_auth     < --- Access list
> CertificateData.cc(68) match: CN=Doe John PKI 1234567890   < --- Client
certificate CN
> MemBlob.cc(56) MemBlob: constructed, this=0x14dccc0 id=blob1388
> MemBlob.cc(101) memAlloc: blob1388 memAlloc: requested=35, received=40
> SBuf.cc(866) reAlloc: SBuf5096 new store capacity: 40
> StringData.cc(33) match: aclMatchStringList: checking 'Doe John PKI
> StringData.cc(36) match: aclMatchStringList: 'Doe John PKI 1234567890'
NOT found   < --- doesn't match
> Acl.cc(151) matches: checked: ssl_auth = 0
> Acl.cc(151) matches: checked: http_access#1 = 0

I'm really not sure what I have missed...
I tried to put CN directly in the ACL, so with no reference to thefile.
I tried to put single and double quotes around CN in allowed.cn file, as

Could you please help me further? What am I doing wrong here?

Thank you and regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210430/f6af83eb/attachment.htm>

More information about the squid-users mailing list