[squid-users] SSLBump and client certificate forward

From: oandarilho01 <oandarilho01_at_yahoo.com.br>
Date: Tue, 10 Jun 2014 07:33:20 -0700 (PDT)

Hi,

I'm trying to put sslbump to work but I can't capture and forward the client
certificate when asked by the remote server.

I've followed the instruciont on
Features/BumpSslServerFirst
Features/DynamicSslCert

and I've also configured stunnel as Amos Jeffries has suggested here in the
past.

Do you have any other tip?

If it helps, this is the related lines of my squid.conf:

# As I'm using port 3128 to listen the stunnel forwarded traffic
http_port 3129 ssl-bump cert=/etc/ssl/squid/squid.pem
dynamic_cert_mem_cache_size=4MB generate-host-certificates=on

always_direct allow all
ssl_bump server-first all
# the following two options are unsafe and not always necessary:
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/libexec/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
sslcrtd_children 5

I'm currently running squid-3.4.5 on a gentoo server. But I've also tried
with version 3.3.12.

I need to pass client certificate (IE8) to at least two websites. One
returns to me a 403 error and the other a 502.

Mr. Rousskov, answering your question: yes, client certificate
authentication does work through squid when no ssl_bump is active.

Thanks for your attention.

P.S.: Mr. Rousskov, thanks for your kind reply and sorry for the
inconvenience :)

--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/SSLBump-and-client-certificate-forward-tp4666290.html
Sent from the Squid - Users mailing list archive at Nabble.com.
Received on Tue Jun 10 2014 - 14:34:02 MDT

This archive was generated by hypermail 2.2.0 : Tue Jun 10 2014 - 12:00:04 MDT