Thanks for your help, I think we are getting there! Choking on proxy stacking though, see below: Bazsi wrote:
You probably don't need server side keys as you disabled encryption. You want the same on the client side, e.g. you'd need
client_keypair_files,
however the 'keypair' attributes were only added because of the GUI of the professional version, you need these:
client_key_file -- [STRING:"":RW:R] Client side authentication private key corresponding to 'client_cert_file'. client_cert_file -- [STRING:"":RW:R] Filename of the client side authentication certificate in PEM format. This must be a server certificate, since for clients the proxy behaves as it were an SSL server.
OK, did that, also stripped the PEM passphrase from my private key so Zorp could read it-- Then was seeing Feb 19 18:01:00 localhost zorp/Zhttps[6286]: (svc/INhttps:0/pssl): Client side SSL handshake successful; Feb 19 18:01:00 localhost zorp/Zhttps[6286]: (svc/INhttps:0/pssl): Stacking subproxy; client='19:20', server='21:22' Feb 19 18:01:00 localhost zorp/Zhttps[6286]: (stderr): Traceback (most recent call last): Feb 19 18:01:00 localhost zorp/Zhttps[6286]: (stderr): File "/usr/share/zorp/pylib/Zorp/Proxy.py", line 425, in stackProxy Feb 19 18:01:00 localhost zorp/Zhttps[6286]: (stderr): proxyLog(self, CORE_DEBUG, 7, "Stacking child proxy; client_fd='%d', server_fd='%d', class='%s'", (client_stream.fd, server_stream.fd, proxy_class.__name__)) Feb 19 18:01:00 localhost zorp/Zhttps[6286]: (stderr): AttributeError: 'tuple' object has no attribute '__name__' Looked again at the example in http://www.balabit.com/network-security/zorp-gateway/gpl/tutorial/, looks like for Zorp GPL the correct form is self.stack_proxy= OWAHttpProxy instead of self.stack_proxy=(Z_STACK_PROXY, OWAHttpProxy) I now have in my policy.py: def Zhttps(): Service("INhttps", INhttps, router=DirectedRouter(SockAddrInet("10.0.0.9", 80))) Listener(SockAddrInet("aaa.bbb.ccc.ddd", 50443), "INhttps") class StrongPsslProxy(PsslProxy): def config(self): PsslProxy.config(self) #docs say PSSL_VERIFY_NONE #this will change but for now agree with present code self.client_verify_type = SSL_VERIFY_NONE #self.server_ca_directory = "/etc/ssl/certs/" class OWAHttpProxy(HttpProxy): def config(self): HttpProxy.config(self) self.request_header["Front-End-Https"]=(HTTP_HDR_INSERT, "on") class INhttps(StrongPsslProxy): def config(self): StrongPsslProxy.config(self) self.server_need_ssl=FALSE self.client_key_file = "/etc/ssl/private/owa.key" self.client_cert_file = "/etc/ssl/certs/owa.crt" self.stack_proxy=OWAHttpProxy which seems to work. Thanks again David Yerger