> -----Original Message----- > From: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] > Sent: Wednesday, November 20, 2013 1:59 PM > To: squid-users@xxxxxxxxxxxxxxx > Subject: Re: intercepting SSL connections with client certificate > > On 20/11/2013 8:02 p.m., Shinoj Gangadharan wrote: > >>> 1. sslbump is not passing on the client cert - I think this will be > >>> fixed with SSLPeekandSplice feature > >>> (http://wiki.squid-cache.org/Features/SslPeekAndSplice) > >> > >> I do not think this can be "fixed". IIRC, Squid cannot forward the > > client > >> certificate to the server on a bumped connection: During SSL > >> handshake, > > the > >> client certificate is sent along with a digest of SSL messages seen > >> by > > the client > >> so far. That digest is encrypted with the client private key. Squid > > would not > >> be able to create that digest because Squid does not have access to > >> the > > client > >> private key and the client digest will not match the server view of > >> the communication. This is one of the defense layers against the > >> man-in-the- middle attack. > >> > >> Just like Squid cannot forward the server certificate to the client, > > Squid > >> cannot forward the client certificate to the server. If a connection > >> is > > bumped, > >> both certificates can only be faked, not forwarded "as is". > >> > >> Squid does not support faking client certificates. > >> > > > > It would be great if we have an option to specify client cert and key > > for a specific IP/ domain like in cache_peer - I know this is going > > to be complicated. > > > >> > >>> 2. Plain old cache_peer is not working with SSL due to this bug(this > >>> is my > >>> guess) : "There is a bug in Squid where it can not forward CONNECT > >>> requests properly to ssl enabled peers." By Henrik from : > >>> http://squid-web-proxy-cache.1019090.n4.nabble.com/Transparent- > SSL- > >> Int > >>> erce > >>> ption-td4582940.html > >> > >> I am not sure exactly which problem you are referring to, but TCP > > tunnels to > >> SSL peers are unofficially supported in > >> https://code.launchpad.net/~measurement-factory/squid/connect2ssl > >> > > > > Is it possible to use Parent Proxy with SSL Bump? The following > > config does not forward requests to parent proxy. It always connects > directly : > > > > acl wc dstdomain mydomain.com > > > > cache_peer testp.parentproxy.com parent 443 0 originserver no-query > > proxy-only ssl sslflags=DONT_VERIFY_PEER name=wimi cache_peer_access > > wimi allow all > > > > never_direct allow wc > > > > always_direct allow all > > > > always_direct overrides never_direct and both of those override > cache_peer_* > > Try this: > always_direct allow !wc > > Amos With always_direct allow !wc I get this error : Unable to forward this request at this time. This request could not be forwarded to the origin server or to any parent caches. Regards, Shinoj.
