-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 6/11/2014 11:35 a.m., Jason Haar wrote: > I haven't tested this so I may be embarrassing myself, but I doubt > client certs and sslbump play nicely together as the end-server > would never see any possible client cert interaction SSL-bump in which Squid version? There is an arms race going on between browsers, site owners and bumping proxies. Each major series of Squid has had a different variantion on what bumping can do and what breaks. > > I was wondering how quickly the need of a client cert is > announced? see http://tools.ietf.org/html/rfc5246#section-7.4.6 > Could/does squid notice the server requirement for client certs and > fall back into passthrough mode? Maybe yes maybe no. As I understand things right now it is part of the crypto which follows the 3rd (final?) peek-n-splice "step". It would certainly be a great option to > have. ie force most https traffic through sslbump, but allow squid > to bypass it for the (very) few sites that require client certs. The ServerHelo has an explicit request for client-cert. So this demand from the server should be detectable during SSL-bump step3 ACL processing, even though the client cert itself is probably unavailable. Amos -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUWvTtAAoJELJo5wb/XPRjuNMH/jUWy/neh2yqGeJKrayRnwPz 0WI1m9+433eVNE2vyBalFdEgdBCop+gdFPHYIZDB0neC+jjy/m9bnKquE7RUm1pi Tw7qJVOBaf5f89tmYwX1YuTX46TUFkzQ7I588JsU50rNxe+db6VoHIuJ3JZyS0tm g4kYkZ1XO4Hbh+6Bs/iDZu/jvxCRDudVAUM/lkQzYkPPP1KCiqLAHOxujHJO8sud cmVFnl3X+wOGHOAkAs60RWfvrR4MSGBz18WpWprBJ+rPUXi0JAvwdgiIoZmTRx4S xij3f2TkFK678YIobZguHWHojg8zFWmzjX2WZ7m1SLqHuFjeUXeFtKZBVae8kBg= =odgE -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
