[squid-users] How to inspect client certificate in ssl_bump
wangxuzong at gmail.com
Thu Oct 22 21:53:51 UTC 2015
I'm using Squid 3.5. What I'm going to do is setting up a forward proxy that
inspect TLS handshake between client and server then allow the connection
only when following two requirements are met:
1. The server address must be in our whitelist, and the server must
provide a correct server certificate during TLS handshake
2. The client must provide a client certificate during TLS handshake.
And the certificate's subject must be in our whitelist
I've set up the ssl_bump according to this page:
http://wiki.squid-cache.org/Features/SslPeekAndSplice. I don't need to do
any bump. I only need to peek then either splice or terminate.
My question is - how to inspect the client certificate? And how to configure
an acl for that?
The document is confusing. It explains the peek action as:
peek step1, step2 Receive SNI and client certificate (step1), or
server certificate (step2) while preserving the possibility of splicing the
connection. Peeking at the server certificate usually precludes future
bumping of the connection (see Limitations).
But client certificate is not sent at step1 during TLS handshake. Client
certificate is sent after server certificate is received and the sever also
send a "Certificate Request" message. So I guess I need an additional step
(step4)? Is there already someone working on this or I need to create by
Any suggestion is highly appreciated!
My Squid configuration is:
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
acl whitelist_server ssl::server_name "/etc/squid/whitelist_server.txt"
http_port 3128 ssl-bump \
ssl_bump peek step1 all
ssl_bump peek step2 all
ssl_bump splice step3 whitelist_server
ssl_bump terminate step3 !whitelist_server
ssl_bump terminate all
More information about the squid-users