[squid-users] Client certificate authentication problem

Neven Vrenko neven.vrenko at gmail.com
Thu Apr 22 09:24:22 UTC 2021


Hello community,

I have a problem which I'm coping with for some time now.
I would like to use client certificate authentication with http_port
command.

As far as I understand the parameter "clientca" should be enough to request
the browser to send/offer client certificate.

In my case this line is fairly simple and looks like this:

> http_port 443 clientca=/path/to/the/CA.pem

However the "clientca" parameter seems to be ignored. Even when I put some
non existing path as "clientca" value, Squid starts normally without error.

Squid version which I'm using is 5.0.5 and output of squid -v can be found
below:

Squid Cache: Version 5.0.5
Service Name: squid

This binary uses OpenSSL 1.0.2k-fips  26 Jan 2017. For legal restrictions
on distribution see https://www.openssl.org/source/license.html

configure options:  '--prefix=/usr' '--bindir=/usr/bin'
'--sbindir=/usr/sbin' '--sysconfdir=/etc/squid' '--datadir=/usr/share'
'--includedir=/usr/include' '--libexecdir=/usr/lib/squid'
'--sharedstatedir=/var/lib' '--mandir=/usr/share/man'
'--infodir=/usr/share/info' '--localstatedir=/var'
'--disable-dependency-tracking' '--disable-arch-native'
'--enable-ltdl-install' '--enable-storeio=aufs,diskd,ufs,rock'
'--enable-removal-policies=heap,lru' '--enable-icmp' '--enable-delay-pools'
'--enable-esi' '--enable-icap-client'
'--enable-cachemgr-hostname=localhost' '--enable-follow-x-forwarded-for'
'--enable-forw-via-db' '--enable-cache-digests' '--enable-linux-netfilter'
'--enable-auth'
'--enable-auth-basic=DB,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam,fake'
'--enable-auth-digest=file,LDAP,eDirectory'
'--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake'
'--with-logdir=/var/log/squid' '--enable-log-daemon-helpers=DB,file'
'--enable-external-acl-helpers=wbinfo_group,kerberos_ldap_group,LDAP_group,delayer,file_userip,SQL_session,unix_group,session,time_quota'
'--enable-url-rewrite-helpers=fake,LFS' '--enable-security-cert-validators'
'--enable-security-cert-generators' *'--with-openssl'* '--enable-ssl-crtd'
'--enable-snmp' '--enable-stacktraces' '--enable-gnuregex'
'--with-pidfile=/var/run/squid.pid' '--with-default-user=squid'
'--with-aio' '--with-dl' '--with-pthreads' '--with-filedescriptors=16384'
'--enable-wccpv2' '--enable-epoll'

I tried to put user_cert acl in hope that this would trigger certificate
request, but it didn't happen.

> acl cert_authentication user_cert CN MY_CN
> http_access allow cert_authentication

If somebody could point me in the right direction I would be very thankful.

Regards,
Neven

P.S
SELinux is disabled and CA certificate is in PEM format
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210422/106ec5e5/attachment.htm>


More information about the squid-users mailing list