[squid-users] SSL Client certificates

[Alex van Denzel]

Hello,

I have a problem regarding the authentication of client certificates.

The situation:

We have an application server (appsrv), running a web-application on
port 7511 (plaintext http). Internal clients connect to this server
using plain http over port 7511 directly to the server. External
clients connect using https over port 443 through a reverse proxy. The
proxy connects plain http to port 7511 on the appsrv.

Corporate policy requires us to place the reverse proxy in a secure
subnet (ssn). This is a sort of dmz behind a dmz. Note that the proxy
now has no working connection to the Internet.

In the dmz exists machine that does a port-forwarding of port 443 to
our proxy. The firewalls are configured to allow that.

Our proxy connects to port 7511 of the appsrv. The firewalls are
configured to allow that too.

Internet -- firewall -- dmz -- firewall -- ssn -- firewal -- local lan
||  | |
 clients 443--- port forw. --443- rev. proxy 7511--- appsrv

The reverse proxy is a Squid-cache, version 2.6.STABLE19, running on
Red Hat Enterprise Linux AS release 4 (Nahant Update 6).

The config of the squid box is (more or less) as follows

https_port our_ip:443 \
cert=/etc/ssl/server.crt \
key=/etc/ssl/server.key \
clientca=/etc/ssl/clientca.ca-bundle \
cafile=/etc/ssl/root.ca-bundle \
defaultsite=appsrv \
vhost \
sslflags=NO_SESSION_REUSE

cache_peer appsrv parent 7511 0 originserver no-query default no-digest

I've got a few questions about this, which I can't find in the manual,
the FAQ and, for that matter with Google.

First, the browser (IE and FF) give me a selection box where I can
select the client certificate to use. But not all client certificates
I installed are listed. How does the browser know which certificates
to select, or, how does the server tell this to the browser?

Second, the only way out to the internet is through another proxy (I
think a Microsoft ISA server). How can I tell Squid (or OpenSSL) to
use this proxy for outgoing CA and CRL verification requests. I have
put 'http_proxy=http://192.168.x.y:8080;' into the
/etc/sysconfig/network file, which is sourced by /etc/init.d/squid,
but I haven't been able to verify if this is working.

Third. Recently we changed to another SSL provider (Comodo) and I've
changed something in the configuration and client certificate
verification didn't work anymore. I'ver tried some things, but I'm at
a loss here. Can anyone clarify what actually happens during client
verification? Currently I've disabled client certificate verification
(removed the clientca line), so the users can still work. I don't have
a test platform, and the pilot site was forced into production before
I had time to test it all.

I've read somewhere that this client certificate stuff in Squid is
still experimental, but we'd really want to have it working.

Thanks in advance,
Kind Regards,
Alex van Denzel.

Re: [squid-users] SSL Client certificates

[Henrik Nordstrom]

On mån, 2008-06-30 at 12:11 +0200, Alex van Denzel wrote:
 In the dmz exists machine that does a port-forwarding of port 443 to
 our proxy. The firewalls are configured to allow that.

Hmm... then you loose the source IP before it reaches your Squid, which
would make the Squid logs a lot less useful.

 Our proxy connects to port 7511 of the appsrv. The firewalls are
 configured to allow that too.

Ok.

 The reverse proxy is a Squid-cache, version 2.6.STABLE19, running on
 Red Hat Enterprise Linux AS release 4 (Nahant Update 6).

Ok.

 First, the browser (IE and FF) give me a selection box where I can
 select the client certificate to use. But not all client certificates
 I installed are listed. How does the browser know which certificates
 to select, or, how does the server tell this to the browser?

Thats done by the clientca option.

It's also possible to request any certificate but not sure this is
implemented in Squid.

 Second, the only way out to the internet is through another proxy (I
 think a Microsoft ISA server). How can I tell Squid (or OpenSSL) to
 use this proxy for outgoing CA and CRL verification requests.

Squid does not automatically fetch CRL lists. You have to set up this
manually, and install the CRLs in a directory found by openssl.

Hmm.. we really should add a config option to specify the directory.

 Third. Recently we changed to another SSL provider (Comodo) and I've
 changed something in the configuration and client certificate
 verification didn't work anymore. I'ver tried some things, but I'm at
 a loss here.

Probably the CA of the issuer isn't known to your Squid..

clientca= doesn't automatically make those CAs trusted, it just makes
Squid request a sertificate issued by the subject of any certificate in
that file. Could just as well be a list of issuer names..

 Can anyone clarify what actually happens during client
 verification? 

1. Squid request a certificate, asking the client to provide one which
matches clientca=..

2. Client sends certificate to Squid.

3. OpenSSL automatically verifies the certificate, which involves
finding the proper CA in the local CA store and also that it's not
revoked by a CRL in the local CRL store.

 I've read somewhere that this client certificate stuff in Squid is
 still experimental, but we'd really want to have it working.

Yes, it's still a bit experimental. Mainly due to the lack of OCSP for
online certificate validation without requiring the admin to set up CRL
downloads..

Regards
Henrik


signature.asc
Description: This is a digitally signed message part