Re: [squid-users] Client Certificate Authentication from Amos Jeffries on 2011-03-15 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 15 Mar 2011 22:51:02 +1300

On 15/03/11 20:26, Jaime Nebrera wrote:
> Hi Amos and list members,
>
>>> Reading the available information in the Internet I'm not sure if
>>> this is possible or not.
>>
>> It is. Though not easily.
>
> Ok
>
>> Squid https_port can accept forward proxy traffic as easily as
>> reverse-proxy traffic. The difficulty comes when you find out that none
>> of the popular browsers actually open HTTPS connections to proxies. An
>> stunnel wrapper is needed to apply the SSL bit from the users box to the
>> Squid.
>
> I didnt know this. Might it be that they are confused and that they
> might be using Kerberos or something like that that in essence is based
> in certificates?

What do you mean by "they" being confused? You earlier said you were
setting this up. My answer was based around your question.

>
>>> I have also seen SSLBump that seems in that topic.
>>
>> Nope, this is MITM on HTTPS. No per-user certificates involved.
>
> Ok
>
>>> BTW, I would like the proxy to use User's certificate when
>>> authenticating against other (external) servers.
>>
>> It cannot. The SSL traffic which follows a certificate CANNOT be
>> generated without the secret keys associated with the certificate. Squid
>> does not have this information and can only be configured to use one set
>> of keys for all DIRECT outgoing traffic.
>>
>> What you have instead is a certificate authorizing Squid to open
>> connections to external places plus some ACl rules in squid.conf
>> limiting which clients are allowed to go via HTTPS to those places.
>> Those external places see Squid as the client software even with regular
>> HTTP traffic.
>
> Mmmm, I have seen commercial products that state they are able to
> analize SSL traffic with a MITM attack. I understand this is of course a
> security concern by itself by I thought this products were doing this,
> Might it be they are using a generic certificate for all of them?
>
> Very thankful from your replies. Regards
>

They likely do it similar or the same way Squid does. With MITM and
generating a new fake certificate. You asked for ways to do it *without*
MITM, and relaying on a specific existing client certificate set at the
browser end of the transaction. The fake certs used in MITM do not pass
validation such as a server checking for specific client certs does.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.11
   Beta testers wanted for 3.2.0.5

Received on Tue Mar 15 2011 - 09:51:08 MDT

This archive was generated by hypermail 2.2.0 : Tue Mar 15 2011 - 12:00:01 MDT