Search squid archive

Re: Client Certificate Authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



  Hi Amos and list members,

Reading the available information in the Internet I'm not sure if
this is possible or not.

It is. Though not easily.

  Ok

Squid https_port can accept forward proxy traffic as easily as
reverse-proxy traffic. The difficulty comes when you find out that none
of the popular browsers actually open HTTPS connections to proxies. An
stunnel wrapper is needed to apply the SSL bit from the users box to the
Squid.

I didnt know this. Might it be that they are confused and that they might be using Kerberos or something like that that in essence is based in certificates?

I have also seen SSLBump that seems in that topic.

Nope, this is MITM on HTTPS. No per-user certificates involved.

  Ok

BTW, I would like the proxy to use User's certificate when
authenticating against other (external) servers.

It cannot. The SSL traffic which follows a certificate CANNOT be
generated without the secret keys associated with the certificate. Squid
does not have this information and can only be configured to use one set
of keys for all DIRECT outgoing traffic.

What you have instead is a certificate authorizing Squid to open
connections to external places plus some ACl rules in squid.conf
limiting which clients are allowed to go via HTTPS to those places.
Those external places see Squid as the client software even with regular
HTTP traffic.

Mmmm, I have seen commercial products that state they are able to analize SSL traffic with a MITM attack. I understand this is of course a security concern by itself by I thought this products were doing this, Might it be they are using a generic certificate for all of them?

  Very thankful from your replies. Regards

--
Jaime Nebrera - jnebrera@xxxxxxxxxxxxxxxxxx
Consultor TI - ENEO Tecnologia SL
C/ Manufactura 2, Edificio Euro, Oficina 3N
Mairena del Aljarafe - 41927 - Sevilla
Telf.- 955 60 11 60 / 619 04 55 18



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux