[squid-users] using "acl <name> user_cert CN <cn>"

claudiu vasadi claudiu.vasadi at gmail.com
Fri Feb 28 13:35:00 UTC 2020


Hello list,

I’m currently trying to wrap my head around the concept of using “acl
name user_cert CN cn” on squid 3.5. What I would like to achieve is a
setup where the client needs to pass a certificate and squid
allows/denies access to the internet based on said certificate CN. So
far I came up empty.

My current config:

acl ssl_authentication user_cert CN user.cn.com
http_access allow all ssl_authentication

http_port 443 ssl-bump  \
  cert=/etc/squid/myCA.pem \
  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

#this is what generates certs on the fly. Point to the CA you generated above.
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /tmp/squid/ssl_db -M 4MB
sslcrtd_children 5

acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
ssl_bump stare all
always_direct allow all


>From the client side I do:

curl -E certificate.pem -k -x http://myproxy:443 https://www.google.de


but I get the access denied page.

Checking cache.log I see:
matches: checking ssl_authentication = 0
clientAccessCheckDone: The request CONNECT www.google.de:443 is
DENIED; last ACL checked: all

So it’s clear the acl doesn’t match.

What am I doing wrong here? How should I adjust the acl?

PS: checking the certificate confirms the CN to be user.cn.com


More information about the squid-users mailing list