RE: [squid-users] intercepting SSL connections with client certificate

From: Shinoj Gangadharan <sgangadharan_at_wavecrest.gi>
Date: Wed, 20 Nov 2013 14:28:34 +0530

> -----Original Message-----
> From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
> Sent: Wednesday, November 20, 2013 1:59 PM
> To: squid-users_at_squid-cache.org
> Subject: Re: [squid-users] intercepting SSL connections with client
certificate
>
> On 20/11/2013 8:02 p.m., Shinoj Gangadharan wrote:
> >>> 1. sslbump is not passing on the client cert - I think this will be
> >>> fixed with SSLPeekandSplice feature
> >>> (http://wiki.squid-cache.org/Features/SslPeekAndSplice)
> >>
> >> I do not think this can be "fixed". IIRC, Squid cannot forward the
> > client
> >> certificate to the server on a bumped connection: During SSL
> >> handshake,
> > the
> >> client certificate is sent along with a digest of SSL messages seen
> >> by
> > the client
> >> so far. That digest is encrypted with the client private key. Squid
> > would not
> >> be able to create that digest because Squid does not have access to
> >> the
> > client
> >> private key and the client digest will not match the server view of
> >> the communication. This is one of the defense layers against the
> >> man-in-the- middle attack.
> >>
> >> Just like Squid cannot forward the server certificate to the client,
> > Squid
> >> cannot forward the client certificate to the server. If a connection
> >> is
> > bumped,
> >> both certificates can only be faked, not forwarded "as is".
> >>
> >> Squid does not support faking client certificates.
> >>
> >
> > It would be great if we have an option to specify client cert and key
> > for a specific IP/ domain like in cache_peer - I know this is going
> > to be complicated.
> >
> >>
> >>> 2. Plain old cache_peer is not working with SSL due to this bug(this
> >>> is my
> >>> guess) : "There is a bug in Squid where it can not forward CONNECT
> >>> requests properly to ssl enabled peers." By Henrik from :
> >>> http://squid-web-proxy-cache.1019090.n4.nabble.com/Transparent-
> SSL-
> >> Int
> >>> erce
> >>> ption-td4582940.html
> >>
> >> I am not sure exactly which problem you are referring to, but TCP
> > tunnels to
> >> SSL peers are unofficially supported in
> >> https://code.launchpad.net/~measurement-factory/squid/connect2ssl
> >>
> >
> > Is it possible to use Parent Proxy with SSL Bump? The following
> > config does not forward requests to parent proxy. It always connects
> directly :
> >
> > acl wc dstdomain mydomain.com
> >
> > cache_peer testp.parentproxy.com parent 443 0 originserver no-query
> > proxy-only ssl sslflags=DONT_VERIFY_PEER name=wimi cache_peer_access
> > wimi allow all
> >
> > never_direct allow wc
> >
> > always_direct allow all
> >
>
> always_direct overrides never_direct and both of those override
> cache_peer_*
>
> Try this:
> always_direct allow !wc
>
> Amos

With

always_direct allow !wc

I get this error :

Unable to forward this request at this time.

This request could not be forwarded to the origin server or to any parent
caches.

Regards,
Shinoj.
Received on Wed Nov 20 2013 - 08:58:42 MST

This archive was generated by hypermail 2.2.0 : Wed Nov 20 2013 - 12:00:04 MST