Re: [squid-users] Plans to support proxying of client certificates in Squid? from Henrik Nordstrom on 2002-12-17 (squid-users)

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Tue, 17 Dec 2002 19:43:39 +0100

The SSL update to Squid includes support for specifying a client
certificate Squid should use when connecting as an SSL client to SSL
servers. Mainly useful if you run Squid as a reverse-proxy accepting SSL
requests from your clients and want Squid to in turn use SSL to encrypt
the traffic it receives from your backend servers and for security needs
to have the connection authenticated as coming from your Squid.

The SSL client in the Squid SSL update can be activated in a number of
ways

a) By cache_peer, specifying that the peer is an SSL enabled server.

b) By using a redirector who rewrites requests received via HTTP into
https:// URLs.

c) By receiving https:// URLs in HTTP proxy requests from clients
without native support for SSL (such as old versions of lynx etc).

You cannot proxy a clients certificate as for presenting a certificate
you need access to the private key the certificate certifies. If you
have accepted to be an SSL endpoint then all you can do is to open a new
SSL connection with your own set of authentication.

For client<->server certificate authentiction the connection must be
directly between the client and server with no proxies inbetween. There
MAY however be tunnels inbetween such as those established over HTTP
proxies by using the CONNECT method, but in technical terms CONNECT is
not proxying but tunneling.

Regards
Henrik

Dan Cave wrote:
>
> Hi All,
>
> Can anyone tell me if there are plans to support the proxying of client
> certificates within squid, whereby a client will connect to a squid proxy
> (just configured to act as a proxy, no caching) and based on the rules,
> squid will connect to an SSL enabled webserver which requires a client
> certificate, at that point passing a client cert to that host from within
> squid.
>
> I have spent some time at great lengths to try and achieve this using Apache
> v2 but descovered that it doesn't work.
>
> I would be interested to hear anyones thoughts on this subject either using
> squid or apache v2.
>
> Kindest Regards
>
> Dan.
Received on Tue Dec 17 2002 - 14:42:49 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:12:07 MST