[squid-users] Mutual authenticated SSL

lucas2 at dds.nl lucas2 at dds.nl
Tue Feb 16 14:11:42 UTC 2016


Hi List,

I am using Squid 3.1.23 as a reverse proxy. Client authentication to 
backend servers is mandatory. All backend servers use client certificate 
based authentication which I configure as follows:
cache_peer (...) ssl sslcert=/etc/squid/client-certs/client-cert.pem 
(...)
The .pem file is provided by the backend maintainers and they take care 
of the server side of the client authentication process. The .pem file 
also contains a private key.
This works fine.

However now the maintainer of a backend server has supplied a server 
certificate that has the "client authentication eku enabled", which 
"should be sufficient for mutual authenticated SSL"

It shows like this:

# openssl x509 -in server.crt -noout -text
(...)
    x509v3 Extended Key Usage:
        TLS Web Client Authentication, TLS Web Server Authentication, 
E-mail Protection
(...)

When I use this certificate directly in my squid configuration I get an 
error when loading the config: "Failed to acquire SSL private key"

Unfortunately my knowledge of SSL certificates is limited, and I do not 
know exactly which mode of operation the backend maintainer intends to 
use for mutual authentication. I can imagine, however, that it is 
undesirable to share the private key of a server certificate.

So my question is:
- Is it possible, Squid reverse proxy, to use a certificate that has the 
"client authentication eku enabled" to achieve client authentication?
- How should this be configured?

Thanks,
Lucas


More information about the squid-users mailing list