On 11/1/2019 8:37 PM, Amos Jeffries wrote:
Oh well. That was the closest Squid has. I was hoping the library would sent cert request but not verify the clients response. So the details would be available for logging etc as handshake parameters. If that client cert request/delivery is not working then the only alternative would be two proxy ports, one with client certificates required and one without. Which does not match what you are trying to achieve. If this is of particular importance patch/PR are welcome. I will keep it in mind for future TLS improvements, but there is no guarantees that way. <https://wiki.squid-cache.org/SquidFaq/AboutSquid#How_to_add_a_new_Squid_feature.2C_enhance.2C_of_fix_something.3F> <https://wiki.squid-cache.org/DeveloperResources>
I've done a quick hack to remove SSL_VERIFY_FAIL_IF_NO_PEER_CERT from Ssl::SetupVerifyCallback in ssl/support.cc. It *appears* that this accomplishes what I want. I'm seeing client cert info when provided and not when I don't (in acl user_cert, logging, external_acl_handler, etc.) Anyone know if there may be some gotchas that I could be missing? Some data structures or behavior expecting the VERIFY_FAIL_IF_NO_PEER_CERT behavior? If it sounds safe I'll look into turning this into a proper sslflags option.
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
