[squid-users] How to inspect client certificate in ssl_bump

Alex Rousskov rousskov at measurement-factory.com
Thu Oct 22 22:41:07 UTC 2015

On 10/22/2015 03:53 PM, Leon wrote:

> I'm using Squid 3.5. What I'm going to do is setting up a forward proxy that
> inspect TLS handshake between client and server then allow the connection
> only when following two requirements are met:
>     1. The server address must be in our whitelist, and the server must
> provide a correct server certificate during TLS handshake
>     2. The client must provide a client certificate during TLS handshake.
> And the certificate's subject must be in our whitelist
> I've set up the ssl_bump according to this page:
> http://wiki.squid-cache.org/Features/SslPeekAndSplice. I don't need to do
> any bump. I only need to peek then either splice or terminate.
> My question is - how to inspect the client certificate? And how to configure
> an acl for that?

Current SslBump code does not support client certificate inspection.
Squid does not know anything about a bumped client certificate.

> The document is confusing. It explains the peek action as:
> peek    step1, step2    Receive SNI and client certificate (step1), or
> server certificate (step2) while preserving the possibility of splicing the
> connection. Peeking at the server certificate usually precludes future
> bumping of the connection (see Limitations).

> But client certificate is not sent at step1 during TLS handshake. Client
> certificate is sent after server certificate is received and the sever also
> send a "Certificate Request" message.

That is correct. What do you find confusing about the current
description? Please suggest improvements or edit the current text.

> So I guess I need an additional step (step4)?

Yes, although client certificate inspection should most likely be done
during step3 and/or step4, with the current "final" step3 increased to
step4 or step5.

> Is there already someone working on this or I need to create by
> myself?

I am not aware of anybody working on the client certificate inspection
in SslBump. Please note that correctly handling client certificates
during SslBump requires serious development work and that work needs to
be done in the unstable SslBump code (e.g., we are currently rewriting
handshake parsing code to make it safe and robust).



More information about the squid-users mailing list