RE: [squid-users] intercepting SSL connections with client certificate

From: Shinoj Gangadharan <sgangadharan_at_wavecrest.gi>
Date: Wed, 20 Nov 2013 12:32:03 +0530

> > 1. sslbump is not passing on the client cert - I think this will be
> > fixed with SSLPeekandSplice feature
> > (http://wiki.squid-cache.org/Features/SslPeekAndSplice)
>
> I do not think this can be "fixed". IIRC, Squid cannot forward the
client
> certificate to the server on a bumped connection: During SSL handshake,
the
> client certificate is sent along with a digest of SSL messages seen by
the client
> so far. That digest is encrypted with the client private key. Squid
would not
> be able to create that digest because Squid does not have access to the
client
> private key and the client digest will not match the server view of the
> communication. This is one of the defense layers against the man-in-the-
> middle attack.
>
> Just like Squid cannot forward the server certificate to the client,
Squid
> cannot forward the client certificate to the server. If a connection is
bumped,
> both certificates can only be faked, not forwarded "as is".
>
> Squid does not support faking client certificates.
>

It would be great if we have an option to specify client cert and key for
a specific IP/ domain like in cache_peer - I know this is going to be
complicated.

>
> > 2. Plain old cache_peer is not working with SSL due to this bug(this
> > is my
> > guess) : "There is a bug in Squid where it can not forward CONNECT
> > requests properly to ssl enabled peers." By Henrik from :
> > http://squid-web-proxy-cache.1019090.n4.nabble.com/Transparent-SSL-
> Int
> > erce
> > ption-td4582940.html
>
> I am not sure exactly which problem you are referring to, but TCP
tunnels to
> SSL peers are unofficially supported in
> https://code.launchpad.net/~measurement-factory/squid/connect2ssl
>

Is it possible to use Parent Proxy with SSL Bump? The following config
does not forward requests to parent proxy. It always connects directly :

acl wc dstdomain mydomain.com

cache_peer testp.parentproxy.com parent 443 0 originserver no-query
proxy-only ssl sslflags=DONT_VERIFY_PEER name=wimi
cache_peer_access wimi allow all

never_direct allow wc

always_direct allow all

I have also tried :

cache_peer_domain wimi mydomain.com

instead of cache_peer_access above.

Please advice.

Regards,
Shinoj.
Received on Wed Nov 20 2013 - 07:02:14 MST

This archive was generated by hypermail 2.2.0 : Wed Nov 20 2013 - 12:00:04 MST