Re: [squid-users] intercepting SSL connections with client certificate from Amos Jeffries on 2013-11-20 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 20 Nov 2013 21:28:35 +1300

On 20/11/2013 8:02 p.m., Shinoj Gangadharan wrote:
>>> 1. sslbump is not passing on the client cert - I think this will be
>>> fixed with SSLPeekandSplice feature
>>> (http://wiki.squid-cache.org/Features/SslPeekAndSplice)
>>
>> I do not think this can be "fixed". IIRC, Squid cannot forward the
> client
>> certificate to the server on a bumped connection: During SSL handshake,
> the
>> client certificate is sent along with a digest of SSL messages seen by
> the client
>> so far. That digest is encrypted with the client private key. Squid
> would not
>> be able to create that digest because Squid does not have access to the
> client
>> private key and the client digest will not match the server view of the
>> communication. This is one of the defense layers against the man-in-the-
>> middle attack.
>>
>> Just like Squid cannot forward the server certificate to the client,
> Squid
>> cannot forward the client certificate to the server. If a connection is
> bumped,
>> both certificates can only be faked, not forwarded "as is".
>>
>> Squid does not support faking client certificates.
>>
>
> It would be great if we have an option to specify client cert and key for
> a specific IP/ domain like in cache_peer - I know this is going to be
> complicated.
>
>>
>>> 2. Plain old cache_peer is not working with SSL due to this bug(this
>>> is my
>>> guess) : "There is a bug in Squid where it can not forward CONNECT
>>> requests properly to ssl enabled peers." By Henrik from :
>>> http://squid-web-proxy-cache.1019090.n4.nabble.com/Transparent-SSL-
>> Int
>>> erce
>>> ption-td4582940.html
>>
>> I am not sure exactly which problem you are referring to, but TCP
> tunnels to
>> SSL peers are unofficially supported in
>> https://code.launchpad.net/~measurement-factory/squid/connect2ssl
>>
>
> Is it possible to use Parent Proxy with SSL Bump? The following config
> does not forward requests to parent proxy. It always connects directly :
>
> acl wc dstdomain mydomain.com
>
> cache_peer testp.parentproxy.com parent 443 0 originserver no-query
> proxy-only ssl sslflags=DONT_VERIFY_PEER name=wimi
> cache_peer_access wimi allow all
>
> never_direct allow wc
>
> always_direct allow all
>

always_direct overrides never_direct and both of those override cache_peer_*

Try this:
always_direct allow !wc

Amos
Received on Wed Nov 20 2013 - 08:28:40 MST

This archive was generated by hypermail 2.2.0 : Wed Nov 20 2013 - 12:00:04 MST