On 12/28/2015 07:34 AM, Alexei Mayanov wrote: > Is it possible to setup Squid to authenticate himself on the remote > origin by X509 certificate? I do not know for sure, but I suspect that: 1. SslBump transactions aside, one may configure Squid to authenticate itself to an origin server using an X509 certificate mentioned in squid.conf. If this is not possible, it is a missing feature or a bug. 2. It is possible to splice user-to-Squid and Squid-to-origin connections while preserving user-to-origin authentication using an X509 certificate provided by the user. If this is not possible, it is a missing feature or a bug. 3. It is possible to bump user-to-Squid and Squid-to-origin connections while Squid authenticates itself to the origin server using an X509 certificate mentioned in squid.conf. If this is not possible, it is a missing feature or a bug. 4. It is impossible to bump user-to-Squid and Squid-to-origin connections while preserving user-to-origin authentication using an X509 certificate provided by the user. Bumping does not (and cannot) impersonate an SSL client protected by a client certificate. Which variant are you after? > There is part of my test config for ssl bumping: > > ssl_bump peek all > ssl_bump bump all This combination usually does not work. Look for "prevents future bumping" and Limitations at http://wiki.squid-cache.org/Features/SslPeekAndSplice HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
