[squid-users] Fwd: Squid authentication on the origin server during SslBumping
Alex Rousskov
rousskov at measurement-factory.com
Mon Dec 28 16:14:17 UTC 2015
On 12/28/2015 07:34 AM, Alexei Mayanov wrote:
> Is it possible to setup Squid to authenticate himself on the remote
> origin by X509 certificate?
I do not know for sure, but I suspect that:
1. SslBump transactions aside, one may configure Squid to authenticate
itself to an origin server using an X509 certificate mentioned in
squid.conf. If this is not possible, it is a missing feature or a bug.
2. It is possible to splice user-to-Squid and Squid-to-origin
connections while preserving user-to-origin authentication using an X509
certificate provided by the user. If this is not possible, it is a
missing feature or a bug.
3. It is possible to bump user-to-Squid and Squid-to-origin connections
while Squid authenticates itself to the origin server using an X509
certificate mentioned in squid.conf. If this is not possible, it is a
missing feature or a bug.
4. It is impossible to bump user-to-Squid and Squid-to-origin
connections while preserving user-to-origin authentication using an X509
certificate provided by the user. Bumping does not (and cannot)
impersonate an SSL client protected by a client certificate.
Which variant are you after?
> There is part of my test config for ssl bumping:
>
> ssl_bump peek all
> ssl_bump bump all
This combination usually does not work. Look for "prevents future
bumping" and Limitations at
http://wiki.squid-cache.org/Features/SslPeekAndSplice
HTH,
Alex.
More information about the squid-users
mailing list