[squid-users] Fwd: Squid authentication on the origin server during SslBumping

Alexei Mayanov piphonom at gmail.com
Mon Dec 28 14:34:51 UTC 2015

Sorry if my question is repeated, but I didn't find any answer.
We have the remote web server where only authenticated users have
access to it. Authentication is made by X509 certificates.
I want that  authentication to remote web server will be transparent
for our local network users. For this I'm trying to setup Squid in
transparent mode with SSL bumping.
Is it possible to setup Squid to authenticate himself on the remote
origin by X509 certificate?

I try to setup Squid 3.5.12 to make SSL bumping and authenticate
himself on the origin by the X509 certificate. But unsuccessfull.
There is part of my test config for ssl bumping:

https_port 3131 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/home/user/squiddata/myCA.pem
ssl_bump peek all
ssl_bump bump all
sslcrtd_program /usr/lib/squid/ssl_crtd -s /home/user/squiddata/ssl_db
-M 4MB
sslcrtd_children 5
sslproxy_client_certificate /home/user/squiddata/client.crt          #
certificate to authenticate server on the Origin. Is it right?
sslproxy_client_key /home/user/squiddata/.key
 # apropreate key
sslproxy_cafile /etc/ssl/certs/ca-certificates.crt
       # CAs bundle
sslproxy_cert_error allow SSLERR
sslproxy_cert_error deny all

But I get the following error:

Error negotiating SSL on FD 12: error:1407743E:SSL
routines:SSL23_GET_SERVER_HELLO:tlsv1 alert inappropriate fallback
1450974176.611     45 TAG_NONE/200 0 CONNECT <remote
ip>:443 - ORIGINAL_DST/<remote ip> -
Error negotiating SSL connection on FD 10: error:140A1175:SSL
routines:SSL_BYTES_TO_CIPHER_LIST:inappropriate fallback (1/-1)

Seems remote server can't authenticate Squid.

SSL bumping with only remote server verification works well.

Thanks for advance.

More information about the squid-users mailing list