On 11/1/2019 2:32 AM, Amos Jeffries wrote:
On 1/11/19 9:19 am, Antonio SJ Musumeci wrote:
Is there a way to do something similar to NGINX's "ssl_verify_client
optional;"?
Set sslflags=DELAYED_AUTH on the http(s)_port line.
Though why you would want to slow every TLS connection setup with KBs of
certificates pushed in both directions then "dropped on the floor" is
beyond me.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
The docs indicated that DELAYED_AUTH isn't implemented and doesn't seem
to work on 4.8. If I enable it it acts as if no certs are passed and the
http_access user_cert acl I setup which works fine when not using
DELAYED_AUTH does not seem to trigger the verification.
Regardless, the point is to create an "anonymous" setup. Not all clients
have, need, or can provide certs. With NGINX setting verify to optional
I can verify iff they are provided allowing me to convert no certs into
a generic guest / anonymous account and entitle separately.
If I understand DELAYED_AUTH's behavior this isn't going to get me that.
I need to be able to tell if the cert was provided. If verification is
just delayed till when the acl is processed that doesn't help unless
there is an acl I'm missing that indicates a cert was provided. The
ssl_error acl values all imply existence.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
