On 10/31/18 10:55 PM, Sid wrote: > Actually in my case Server is looking for a certificate to be sent by > client; How to configure Squid to get > this certificate from client for mutual authentication? It is technically impossible to meaningfully forward a client certificate to the origin server when _bumping_ connections, and, hence, Squid cannot support such forwarding. You should be able to configure a bumping Squid to send its own client certificate to the origin server though; see tls_outgoing_options cert=... key=.... The question is, can you give Squid the same client certificate as used by your client? * If that client certificate is the same for all from-Squid traffic, you have access to the client certificate key, and you can store that key securely on the Squid server, then the answer is probably "yes". It would not be true "forwarding", but the origin server will get the certificate it expects, and Squid will be able to send the right TLS CertificateVerify message to prove that Squid has the private key. * Otherwise, the answer is probably "no", and you cannot use client certificate-based authentication with the origin server while bumping connections. Whether it is possible to support that by enhancing Squid would depend on which precondition(s) in the first bullet are not satisfied. For example, it is possible to enhance Squid to select from a list of client certificates when bumping a server connection. HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
