Hi Amos, Thanks for the reply. Different things seem to be impacting me at the moment : 1. sslbump is not passing on the client cert - I think this will be fixed with SSLPeekandSplice feature (http://wiki.squid-cache.org/Features/SslPeekAndSplice?highlight=%28C{1}at egoryFeature%29|%28D{1}eveloper.*AlexRousskov%29 ) 2. Plain old cache_peer is not working with SSL due to this bug(this is my guess) : "There is a bug in Squid where it can not forward CONNECT requests properly to ssl enabled peers." By Henrik from : http://squid-web-proxy-cache.1019090.n4.nabble.com/Transparent-SSL-Interce ption-td4582940.html 3. Even if 2 works, I can not find a way to send the request to peer since sslbump uses direct connection without an option of forwarding to cache peers. I am defining the server as a peer with the option originserver and using client cert in the ssl config. I am then restricting domains that can be sent to this peer using dstdomain. After this I get hit as sslbump only supports direct connection. I guess I am stuck :) Thanks and Regards, Shinoj. -----Original Message----- From: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] Sent: Tuesday, November 19, 2013 3:44 PM To: squid-users@xxxxxxxxxxxxxxx Subject: Re: intercepting SSL connections with client certificate On 19/11/2013 12:42 a.m., Shinoj Gangadharan wrote: > Hi, > > I am able to intercept normal SSL connections using ssl_bump. How can > I pass on the client certificate to the server? I tried using > cache_peer but could not get it to work. Here is the conf : > > acl myacl dstdomain myssldomain.com > > cache_peer ssl.myssldomain.com parent 443 0 no-query proxy-only > originserver ssl sslcert=/home/certificates/cl2.crt > sslflags=DONT_VERIFY_PEER name=myssl > cache_peer_access myssl allow myacl > never_direct allow myacl > > > I have disabled always_direct : > > #always_direct allow all > Re-enable always_direct for server-first bumping to work as designed. Otherwise you are just sending the client your peers SSL certificates. Thats all the help I can give for now sorry. FWIW I dont think we have a client-mimicing feature in Squid at this point. So client certs may be passed onward, but likely not to be as Squid wants to be able to decrypt the server data which will be encrypted against the client cert key. Amos
