> > 1. sslbump is not passing on the client cert - I think this will be > > fixed with SSLPeekandSplice feature > > (http://wiki.squid-cache.org/Features/SslPeekAndSplice) > > I do not think this can be "fixed". IIRC, Squid cannot forward the client > certificate to the server on a bumped connection: During SSL handshake, the > client certificate is sent along with a digest of SSL messages seen by the client > so far. That digest is encrypted with the client private key. Squid would not > be able to create that digest because Squid does not have access to the client > private key and the client digest will not match the server view of the > communication. This is one of the defense layers against the man-in-the- > middle attack. > > Just like Squid cannot forward the server certificate to the client, Squid > cannot forward the client certificate to the server. If a connection is bumped, > both certificates can only be faked, not forwarded "as is". > > Squid does not support faking client certificates. > It would be great if we have an option to specify client cert and key for a specific IP/ domain like in cache_peer - I know this is going to be complicated. > > > 2. Plain old cache_peer is not working with SSL due to this bug(this > > is my > > guess) : "There is a bug in Squid where it can not forward CONNECT > > requests properly to ssl enabled peers." By Henrik from : > > http://squid-web-proxy-cache.1019090.n4.nabble.com/Transparent-SSL- > Int > > erce > > ption-td4582940.html > > I am not sure exactly which problem you are referring to, but TCP tunnels to > SSL peers are unofficially supported in > https://code.launchpad.net/~measurement-factory/squid/connect2ssl > Is it possible to use Parent Proxy with SSL Bump? The following config does not forward requests to parent proxy. It always connects directly : acl wc dstdomain mydomain.com cache_peer testp.parentproxy.com parent 443 0 originserver no-query proxy-only ssl sslflags=DONT_VERIFY_PEER name=wimi cache_peer_access wimi allow all never_direct allow wc always_direct allow all I have also tried : cache_peer_domain wimi mydomain.com instead of cache_peer_access above. Please advice. Regards, Shinoj.
