[squid-users] How to inspect client certificate in ssl_bump

Leon wangxuzong at gmail.com
Thu Oct 22 21:53:51 UTC 2015


I'm using Squid 3.5. What I'm going to do is setting up a forward proxy that
inspect TLS handshake between client and server then allow the connection
only when following two requirements are met:

    1. The server address must be in our whitelist, and the server must
provide a correct server certificate during TLS handshake
    2. The client must provide a client certificate during TLS handshake.
And the certificate's subject must be in our whitelist

I've set up the ssl_bump according to this page:
http://wiki.squid-cache.org/Features/SslPeekAndSplice. I don't need to do
any bump. I only need to peek then either splice or terminate.

My question is - how to inspect the client certificate? And how to configure
an acl for that?

The document is confusing. It explains the peek action as:
peek    step1, step2    Receive SNI and client certificate (step1), or
server certificate (step2) while preserving the possibility of splicing the
connection. Peeking at the server certificate usually precludes future
bumping of the connection (see Limitations).

But client certificate is not sent at step1 during TLS handshake. Client
certificate is sent after server certificate is received and the sever also
send a "Certificate Request" message. So I guess I need an additional step
(step4)? Is there already someone working on this or I need to create by

Any suggestion is highly appreciated!


My Squid configuration is:

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
acl whitelist_server ssl::server_name "/etc/squid/whitelist_server.txt"

http_port 3128 ssl-bump \
  cert=/etc/ssl/ca-cert.pem \
  generate-host-certificates=off dynamic_cert_mem_cache_size=4MB

ssl_bump  peek  step1  all                 
ssl_bump  peek  step2  all    
ssl_bump  splice  step3  whitelist_server  
ssl_bump  terminate  step3  !whitelist_server
ssl_bump  terminate  all                   

More information about the squid-users mailing list