Hello
I am trying to setup a squid between my exchange server and the
outside world.
I am having troubles getting ntlm to work.
[internet]---<https>---[squid]---<https>---[exchange]
Squid's job would be to terminate the ssl connection and start a new
one the the ntlm server and pass the ntlm authorization through to
exchange.
The ssl connections squid -> exchange is getting terminated with
following error in squid
2009/09/18 09:05:38| fwdNegotiateSSL: Error negotiating SSL connection
on FD 18: error:00000000:lib(0):func(0):reason(0) (5/0/0)
2009/09/18 09:05:38| TCP connection to xchg07-dev-be.dev.domain.com
(10.1.3.20:443) failed
If I switch the connection Squid <-> exchange to http the connection
does not break. and ntlm auth works
I have tried all kinds of parameters in the configuration
With or without client certificate, nothing helped the connection
terminates every time.
I have also tried different version of Squid namely:
Squid Cache: Version 2.7 STABLE6
Squid Cache: Version 2.6 STABLE20
I am running Centos5 on the Server
I took a closer look at the ntlm handshake and made a tcpdump on squid
to see how and when the connection is terminated
>>>>>>>>>>>>> Page Request
Please authenticate with NTLM <<<<<<
>>>>>>>>>>>>> NTLM negotiate
NTLM challenge <<<<<<<<<<<<<<<<<<<
TCP Connection should not be terminated from here on
Squid resends Client Hello package
Exchange terminates connection.
Connection is reopened.
>>>>>>>>>>>> NTLM AUthentication
RESET <<<<<<<<<<<<<<<<<<<<<<
This is my squid config
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
extension_methods RPC_IN_DATA RPC_OUT_DATA
https_port 10.1.16.33:443 cert=/etc/squid/ssl/webmail-dev.crt key=/etc/
squid/ssl/webmail-dev.key cafile=/etc/squid/ssl/webmail-dev.crt
defaultsite=webmail-dev.domain.com
cache_peer 10.1.3.20 parent 443 0 no-query originserver login=PASS ssl
sslcert=/etc/squid/ssl/sextans-be.cert sslkey=/etc/squid/ssl/sextans-
be.key sslcafile=/etc/squid/ssl/someca-cax509.cert
# access control
acl all src 0.0.0.0/0.0.0.0
# basic URL based access restriction for DEV Exchange 2007
acl url_allow url_regex -i ^https://webmail-dev.domain.com/
http_access allow url_allow
http_access deny all
# extra access log file
access_log /var/log/squid/access.log
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
any help would be appreciated.
Best regards
Benjamin Indermühle
Received on Fri Sep 18 2009 - 09:08:13 MDT
This archive was generated by hypermail 2.2.0 : Fri Sep 18 2009 - 12:00:03 MDT