[squid-users] NTLM passthrough over https breaks during NTLM handshake

From: Benjamin Indermühle <benjamin_at_inthemill.ch>
Date: Fri, 18 Sep 2009 11:08:01 +0200

Hello

I am trying to setup a squid between my exchange server and the
outside world.
I am having troubles getting ntlm to work.

[internet]---<https>---[squid]---<https>---[exchange]

Squid's job would be to terminate the ssl connection and start a new
one the the ntlm server and pass the ntlm authorization through to
exchange.

The ssl connections squid -> exchange is getting terminated with
following error in squid

2009/09/18 09:05:38| fwdNegotiateSSL: Error negotiating SSL connection
on FD 18: error:00000000:lib(0):func(0):reason(0) (5/0/0)
2009/09/18 09:05:38| TCP connection to xchg07-dev-be.dev.domain.com
(10.1.3.20:443) failed

If I switch the connection Squid <-> exchange to http the connection
does not break. and ntlm auth works

I have tried all kinds of parameters in the configuration
With or without client certificate, nothing helped the connection
terminates every time.
I have also tried different version of Squid namely:

Squid Cache: Version 2.7 STABLE6
Squid Cache: Version 2.6 STABLE20

I am running Centos5 on the Server

I took a closer look at the ntlm handshake and made a tcpdump on squid
to see how and when the connection is terminated

>>>>>>>>>>>>> Page Request
Please authenticate with NTLM <<<<<<
>>>>>>>>>>>>> NTLM negotiate
NTLM challenge <<<<<<<<<<<<<<<<<<<

TCP Connection should not be terminated from here on
Squid resends Client Hello package
Exchange terminates connection.
Connection is reopened.

>>>>>>>>>>>> NTLM AUthentication
RESET <<<<<<<<<<<<<<<<<<<<<<

This is my squid config
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

extension_methods RPC_IN_DATA RPC_OUT_DATA
https_port 10.1.16.33:443 cert=/etc/squid/ssl/webmail-dev.crt key=/etc/
squid/ssl/webmail-dev.key cafile=/etc/squid/ssl/webmail-dev.crt
defaultsite=webmail-dev.domain.com
cache_peer 10.1.3.20 parent 443 0 no-query originserver login=PASS ssl
sslcert=/etc/squid/ssl/sextans-be.cert sslkey=/etc/squid/ssl/sextans-
be.key sslcafile=/etc/squid/ssl/someca-cax509.cert
# access control
acl all src 0.0.0.0/0.0.0.0

# basic URL based access restriction for DEV Exchange 2007
acl url_allow url_regex -i ^https://webmail-dev.domain.com/

http_access allow url_allow
http_access deny all

# extra access log file
access_log /var/log/squid/access.log
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

any help would be appreciated.

Best regards
Benjamin Indermühle
Received on Fri Sep 18 2009 - 09:08:13 MDT

This archive was generated by hypermail 2.2.0 : Fri Sep 18 2009 - 12:00:03 MDT