On 11/19/2013 06:39 AM, Shinoj Gangadharan wrote:
> 1. sslbump is not passing on the client cert - I think this will be fixed
> with SSLPeekandSplice feature
> (http://wiki.squid-cache.org/Features/SslPeekAndSplice)
I do not think this can be "fixed". IIRC, Squid cannot forward the
client certificate to the server on a bumped connection: During SSL
handshake, the client certificate is sent along with a digest of SSL
messages seen by the client so far. That digest is encrypted with the
client private key. Squid would not be able to create that digest
because Squid does not have access to the client private key and the
client digest will not match the server view of the communication. This
is one of the defense layers against the man-in-the-middle attack.
Just like Squid cannot forward the server certificate to the client,
Squid cannot forward the client certificate to the server. If a
connection is bumped, both certificates can only be faked, not
forwarded "as is".
Squid does not support faking client certificates.
> 2. Plain old cache_peer is not working with SSL due to this bug(this is my
> guess) : "There is a bug in Squid where it can not forward CONNECT
> requests properly to ssl enabled peers." By Henrik from :
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Transparent-SSL-Interce
> ption-td4582940.html
I am not sure exactly which problem you are referring to, but TCP
tunnels to SSL peers are unofficially supported in
https://code.launchpad.net/~measurement-factory/squid/connect2ssl
HTH,
Alex.
Received on Tue Nov 19 2013 - 19:34:20 MST
This archive was generated by hypermail 2.2.0 : Wed Nov 20 2013 - 12:00:04 MST