[squid-users] could sslbump handle client certs better?
Amos Jeffries
squid3 at treenet.co.nz
Thu Nov 6 04:11:25 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 6/11/2014 11:35 a.m., Jason Haar wrote:
> I haven't tested this so I may be embarrassing myself, but I doubt
> client certs and sslbump play nicely together as the end-server
> would never see any possible client cert interaction
SSL-bump in which Squid version?
There is an arms race going on between browsers, site owners and
bumping proxies. Each major series of Squid has had a different
variantion on what bumping can do and what breaks.
>
> I was wondering how quickly the need of a client cert is
> announced?
see http://tools.ietf.org/html/rfc5246#section-7.4.6
> Could/does squid notice the server requirement for client certs and
> fall back into passthrough mode?
Maybe yes maybe no. As I understand things right now it is part of the
crypto which follows the 3rd (final?) peek-n-splice "step".
It would certainly be a great option to
> have. ie force most https traffic through sslbump, but allow squid
> to bypass it for the (very) few sites that require client certs.
The ServerHelo has an explicit request for client-cert. So this demand
from the server should be detectable during SSL-bump step3 ACL
processing, even though the client cert itself is probably unavailable.
Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iQEcBAEBAgAGBQJUWvTtAAoJELJo5wb/XPRjuNMH/jUWy/neh2yqGeJKrayRnwPz
0WI1m9+433eVNE2vyBalFdEgdBCop+gdFPHYIZDB0neC+jjy/m9bnKquE7RUm1pi
Tw7qJVOBaf5f89tmYwX1YuTX46TUFkzQ7I588JsU50rNxe+db6VoHIuJ3JZyS0tm
g4kYkZ1XO4Hbh+6Bs/iDZu/jvxCRDudVAUM/lkQzYkPPP1KCiqLAHOxujHJO8sud
cmVFnl3X+wOGHOAkAs60RWfvrR4MSGBz18WpWprBJ+rPUXi0JAvwdgiIoZmTRx4S
xij3f2TkFK678YIobZguHWHojg8zFWmzjX2WZ7m1SLqHuFjeUXeFtKZBVae8kBg=
=odgE
-----END PGP SIGNATURE-----
More information about the squid-users
mailing list