Re: [squid-users] intercepting SSL connections with client certificate

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 19 Nov 2013 23:14:28 +1300

On 19/11/2013 12:42 a.m., Shinoj Gangadharan wrote:
> Hi,
>
> I am able to intercept normal SSL connections using ssl_bump. How can I
> pass on the client certificate to the server? I tried using cache_peer but
> could not get it to work. Here is the conf :
>
> acl myacl dstdomain myssldomain.com
>
> cache_peer ssl.myssldomain.com parent 443 0 no-query proxy-only
> originserver ssl sslcert=/home/certificates/cl2.crt
> sslflags=DONT_VERIFY_PEER name=myssl
> cache_peer_access myssl allow myacl
> never_direct allow myacl
>
>
> I have disabled always_direct :
>
> #always_direct allow all
>

Re-enable always_direct for server-first bumping to work as designed.
Otherwise you are just sending the client your peers SSL certificates.

Thats all the help I can give for now sorry.

FWIW I dont think we have a client-mimicing feature in Squid at this
point. So client certs may be passed onward, but likely not to be as
Squid wants to be able to decrypt the server data which will be
encrypted against the client cert key.

Amos
Received on Tue Nov 19 2013 - 10:14:38 MST

This archive was generated by hypermail 2.2.0 : Tue Nov 19 2013 - 12:00:04 MST