Re: Mutual authentication managed by Squid

Yuri Voinov <yvoinov@xxxxxxxxx> · Fri, 20 Feb 2015 15:41:26 +0600



    20.02.15 15:34, Ilya Karpov пишет:

    
      I’m not sure that using transparent sslbump squid
        will understand how to use client certificate for mutual
        authentication.
    
    As you configure it.

    
      At least without transparent ssl bump it doesn’t.
    
    Sure. 

    
      Did you try to use trspr-sslbump for client auth?
        How does squid pick right client certificate for certain host?
    
    Client auth on HTTPS sites is not function of transparent proxy. And
    yes, we don't use client serts on our transparent proxy. We simple
    bypass this sites directly without bumping. Let's client's do it
    yourself. This is not our responsibility.

    
    I see two ways to do that as you wish.

    
    1. Add sites, required client-certs auth to exclude bump list. I.e.,
    exclude proxy from chain.

    2. Configure proxy to use client certs with sites requires it using
    ACL's.

    
          Best regards,
          Ilya Karpov
          karpoftea@xxxxxxxxx
          

          20 февр. 2015 г., в 12:24, Yuri Voinov <yvoinov@xxxxxxxxx> написал(а):
          

             Transparent
              SSL Bump interception, eh?

              
              20.02.15 15:14, Ilya Karpov
                пишет:

              
                Hi guys,
                can anyone suggest solution to make
                  following scenario work using squid:
                

                step1. 
                Client(actually server application) calls HTTP://example.org squid via proxy.
                 |
                V 
                step2. 
                Proxy(Squid) understands that all calls to
                  HTTP://example.org should be changed to
                  HTTPS://example.org, trusts CA that
                  uses example.org and
                  knows client certificate to use for https client
                  authentication
                
                   |
                  V 
                
                step3.
                Origin(some server in internet) accepts
                  https request, authenticates client, returns response
                

                The main aim is to make client know
                  nothing about https complexity (storing
                  certificates/keys, knowing specific algorithms etc),
                  and make squid manage this things.
                

                    Best regards,
                    Ilya Karpov
                    karpoftea@xxxxxxxxx
                    

                _______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

              
            _______________________________________________

            squid-users mailing list

            squid-users@xxxxxxxxxxxxxxxxxxxxx

            http://lists.squid-cache.org/listinfo/squid-users

          
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users