On 20/11/2013 8:02 p.m., Shinoj Gangadharan wrote: >>> 1. sslbump is not passing on the client cert - I think this will be >>> fixed with SSLPeekandSplice feature >>> (http://wiki.squid-cache.org/Features/SslPeekAndSplice) >> >> I do not think this can be "fixed". IIRC, Squid cannot forward the > client >> certificate to the server on a bumped connection: During SSL handshake, > the >> client certificate is sent along with a digest of SSL messages seen by > the client >> so far. That digest is encrypted with the client private key. Squid > would not >> be able to create that digest because Squid does not have access to the > client >> private key and the client digest will not match the server view of the >> communication. This is one of the defense layers against the man-in-the- >> middle attack. >> >> Just like Squid cannot forward the server certificate to the client, > Squid >> cannot forward the client certificate to the server. If a connection is > bumped, >> both certificates can only be faked, not forwarded "as is". >> >> Squid does not support faking client certificates. >> > > It would be great if we have an option to specify client cert and key for > a specific IP/ domain like in cache_peer - I know this is going to be > complicated. > >> >>> 2. Plain old cache_peer is not working with SSL due to this bug(this >>> is my >>> guess) : "There is a bug in Squid where it can not forward CONNECT >>> requests properly to ssl enabled peers." By Henrik from : >>> http://squid-web-proxy-cache.1019090.n4.nabble.com/Transparent-SSL- >> Int >>> erce >>> ption-td4582940.html >> >> I am not sure exactly which problem you are referring to, but TCP > tunnels to >> SSL peers are unofficially supported in >> https://code.launchpad.net/~measurement-factory/squid/connect2ssl >> > > Is it possible to use Parent Proxy with SSL Bump? The following config > does not forward requests to parent proxy. It always connects directly : > > acl wc dstdomain mydomain.com > > cache_peer testp.parentproxy.com parent 443 0 originserver no-query > proxy-only ssl sslflags=DONT_VERIFY_PEER name=wimi > cache_peer_access wimi allow all > > never_direct allow wc > > always_direct allow all > always_direct overrides never_direct and both of those override cache_peer_* Try this: always_direct allow !wc Amos
