On 12/10/19 10:08 PM, GeorgeShen wrote: > I've seen some post saying there is a way to configure the squid proxy to > get the client certificate. Yes, look for "client certificate" in your squid.conf.documented. > But to be scalable (assume it has many https clients) If you are implying that Squid would check whether the client has sent a particular client certificate copy, then this is not how certificate authentication works. Squid would validate whether the client has sent a certificate _signed_ by the configured client CA certificate. A single CA certificate can be used to sign (i.e. issue) millions of client certificates. > I'm wonder if the proxy can ask for the client certificate and > modify that certificate in negotiating the session with the server; It is possible in theory but Squid cannot do that. There could be some very special environments where such a scheme would make sense, but keep in mind that the server would have to share its client CA certificate (or equivalent) with Squid for the scheme to work. > I understand in the current timeline, the proxy is > negotiate with the server before accepting the tls hello from client. In most SslBump setups, Squid negotiates with the server _after_ seeing the TLS client Hello. Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
