On 11/19/2013 06:39 AM, Shinoj Gangadharan wrote: > 1. sslbump is not passing on the client cert - I think this will be fixed > with SSLPeekandSplice feature > (http://wiki.squid-cache.org/Features/SslPeekAndSplice) I do not think this can be "fixed". IIRC, Squid cannot forward the client certificate to the server on a bumped connection: During SSL handshake, the client certificate is sent along with a digest of SSL messages seen by the client so far. That digest is encrypted with the client private key. Squid would not be able to create that digest because Squid does not have access to the client private key and the client digest will not match the server view of the communication. This is one of the defense layers against the man-in-the-middle attack. Just like Squid cannot forward the server certificate to the client, Squid cannot forward the client certificate to the server. If a connection is bumped, both certificates can only be faked, not forwarded "as is". Squid does not support faking client certificates. > 2. Plain old cache_peer is not working with SSL due to this bug(this is my > guess) : "There is a bug in Squid where it can not forward CONNECT > requests properly to ssl enabled peers." By Henrik from : > http://squid-web-proxy-cache.1019090.n4.nabble.com/Transparent-SSL-Interce > ption-td4582940.html I am not sure exactly which problem you are referring to, but TCP tunnels to SSL peers are unofficially supported in https://code.launchpad.net/~measurement-factory/squid/connect2ssl HTH, Alex.
