Re: [squid-users] "Proxying" a client certificate

From: Peter Vereshagin <peter_at_vereshagin.org>
Date: Tue, 18 May 2010 18:42:34 +0400

You can leave your hat on, apmailist!

You are asking about man-in-the-middle ( mitm ) technique for proxying.
Squid is known to be uncapable of this: it does not parse the SSL requests. It
can proxify them as a vanilla sockets via the HTTP CONNECT method.
I use to implement sich a thing for myself with a set of methods, but the
common choice is: cgi kind of the proxy that is running on the hosting
and the specialized software capable of mitm for https, like the nginx
For the first case, you should dig into the corresponding libraries, like
Net::SSLeay in the case you cgiproxy is made in perl. I myself even not sure if
Net::SSLeay is capable to verify SSL via the CAs list. Probably Curl handles
this better.
For the second case, I've already requested this as a feature for nginx. ( I
did not request x.509 pki feature yet though; only the CAs and CRLs lists to
be possible to supply for nginx's proxy_pass directive ). But anyway: nginx
isn't about to support the CONNECT method like squid does. So you may want to
use the squid with the fake resolver to be able to use your nginx as an https
mitm proxy ;-)
You may find such a code helpful for this:
http://gitweb.vereshagin.org/fcgiproxy There are the config samples somewhere
inside.

2010/05/18 15:40:31 +0200 apmailist_at_free.fr => To squid-users_at_squid-cache.org :
> Hello,
>
> I'm about to ask a daft question, maybe.
> Several proxy clients Will need to access a website that requires a
> client certificate. In order to avoid deploying this certificate on
> each client, we would like to install the certificate on squid so it
> can pass it to the web server.
> Is this technically possible ?
> This is maybe a security breach.
> All the info I found relate to certificates and reverse proxies.
>
> Thank you
>
> Andrew

73! Peter pgp: A0E26627 (4A42 6841 2871 5EA7 52AB 12F8 0CE1 4AAC A0E2 6627)

-- 
http://vereshagin.org
Received on Tue May 18 2010 - 14:43:31 MDT

This archive was generated by hypermail 2.2.0 : Tue May 18 2010 - 12:00:05 MDT