RE: [squid-users] intercepting SSL connections with client certificate

From: Shinoj Gangadharan <sgangadharan_at_wavecrest.gi>
Date: Tue, 19 Nov 2013 19:09:20 +0530

Hi Amos,

Thanks for the reply. Different things seem to be impacting me at the
moment :

1. sslbump is not passing on the client cert - I think this will be fixed
with SSLPeekandSplice feature
(http://wiki.squid-cache.org/Features/SslPeekAndSplice?highlight=%28C{1}at
egoryFeature%29|%28D{1}eveloper.*AlexRousskov%29 )

2. Plain old cache_peer is not working with SSL due to this bug(this is my
guess) : "There is a bug in Squid where it can not forward CONNECT
requests properly to ssl enabled peers." By Henrik from :
http://squid-web-proxy-cache.1019090.n4.nabble.com/Transparent-SSL-Interce
ption-td4582940.html

3. Even if 2 works, I can not find a way to send the request to peer since
sslbump uses direct connection without an option of forwarding to cache
peers. I am defining the server as a peer with the option originserver
and using client cert in the ssl config. I am then restricting domains
that can be sent to this peer using dstdomain. After this I get hit as
sslbump only supports direct connection.

I guess I am stuck :)

Thanks and Regards,
Shinoj.

-----Original Message-----
From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
Sent: Tuesday, November 19, 2013 3:44 PM
To: squid-users_at_squid-cache.org
Subject: Re: [squid-users] intercepting SSL connections with client
certificate

On 19/11/2013 12:42 a.m., Shinoj Gangadharan wrote:
> Hi,
>
> I am able to intercept normal SSL connections using ssl_bump. How can
> I pass on the client certificate to the server? I tried using
> cache_peer but could not get it to work. Here is the conf :
>
> acl myacl dstdomain myssldomain.com
>
> cache_peer ssl.myssldomain.com parent 443 0 no-query proxy-only
> originserver ssl sslcert=/home/certificates/cl2.crt
> sslflags=DONT_VERIFY_PEER name=myssl
> cache_peer_access myssl allow myacl
> never_direct allow myacl
>
>
> I have disabled always_direct :
>
> #always_direct allow all
>

Re-enable always_direct for server-first bumping to work as designed.
Otherwise you are just sending the client your peers SSL certificates.

Thats all the help I can give for now sorry.

FWIW I dont think we have a client-mimicing feature in Squid at this
point. So client certs may be passed onward, but likely not to be as Squid
wants to be able to decrypt the server data which will be encrypted
against the client cert key.

Amos
Received on Tue Nov 19 2013 - 13:39:30 MST

This archive was generated by hypermail 2.2.0 : Wed Nov 20 2013 - 12:00:04 MST