Search squid archive

RE: intercepting SSL connections with client certificate

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> -----Original Message-----
> From: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx]
> Sent: Wednesday, November 20, 2013 1:59 PM
> To: squid-users@xxxxxxxxxxxxxxx
> Subject: Re:  intercepting SSL connections with client
certificate
>
> On 20/11/2013 8:02 p.m., Shinoj Gangadharan wrote:
> >>> 1. sslbump is not passing on the client cert - I think this will be
> >>> fixed with SSLPeekandSplice feature
> >>> (http://wiki.squid-cache.org/Features/SslPeekAndSplice)
> >>
> >> I do not think this can be "fixed". IIRC, Squid cannot forward the
> > client
> >> certificate to the server on a bumped connection: During SSL
> >> handshake,
> > the
> >> client certificate is sent along with a digest of SSL messages seen
> >> by
> > the client
> >> so far. That digest is encrypted with the client private key. Squid
> > would not
> >> be able to create that digest because Squid does not have access to
> >> the
> > client
> >> private key and the client digest will not match the server view of
> >> the communication. This is one of the defense layers against the
> >> man-in-the- middle attack.
> >>
> >> Just like Squid cannot forward the server certificate to the client,
> > Squid
> >> cannot forward the client certificate to the server. If a connection
> >> is
> > bumped,
> >> both certificates can only be faked, not forwarded "as is".
> >>
> >> Squid does not support faking client certificates.
> >>
> >
> > It would be great if we have an option to specify client cert and key
> > for a specific IP/ domain like in cache_peer -  I know this is going
> > to be complicated.
> >
> >>
> >>> 2. Plain old cache_peer is not working with SSL due to this bug(this
> >>> is my
> >>> guess) : "There is a bug in Squid where it can not forward CONNECT
> >>> requests properly to ssl enabled peers." By Henrik from :
> >>> http://squid-web-proxy-cache.1019090.n4.nabble.com/Transparent-
> SSL-
> >> Int
> >>> erce
> >>> ption-td4582940.html
> >>
> >> I am not sure exactly which problem you are referring to, but TCP
> > tunnels to
> >> SSL peers are unofficially supported in
> >> https://code.launchpad.net/~measurement-factory/squid/connect2ssl
> >>
> >
> > Is it possible to use Parent Proxy with  SSL Bump? The following
> > config does not forward requests to parent proxy. It always connects
> directly :
> >
> > acl wc dstdomain mydomain.com
> >
> > cache_peer testp.parentproxy.com parent 443 0 originserver no-query
> > proxy-only ssl sslflags=DONT_VERIFY_PEER name=wimi cache_peer_access
> > wimi allow all
> >
> > never_direct allow wc
> >
> > always_direct allow all
> >
>
> always_direct overrides never_direct and both of those override
> cache_peer_*
>
> Try this:
>  always_direct allow !wc
>
> Amos

With

always_direct allow !wc

I get this error :

Unable to forward this request at this time.

This request could not be forwarded to the origin server or to any parent
caches.

Regards,
Shinoj.




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux