[squid-users] How to inspect client certificate in ssl_bump

Alex Rousskov rousskov at measurement-factory.com
Fri Oct 23 14:41:33 UTC 2015

On 10/22/2015 05:59 PM, Leon wrote:

> In regard to the document, I suggest to change the description of
> peek action to "Receive SNI in Client Hello message (step1), or
> server certificate (step2) ...".

I see what you mean now. Done.

Thank you,


> -----Original Message-----
> From: Alex Rousskov [mailto:rousskov at measurement-factory.com] 
> Sent: Thursday, October 22, 2015 3:41 PM
> To: squid-users at lists.squid-cache.org
> Cc: Leon <wangxuzong at gmail.com>
> Subject: Re: [squid-users] How to inspect client certificate in ssl_bump
> On 10/22/2015 03:53 PM, Leon wrote:
>> I'm using Squid 3.5. What I'm going to do is setting up a forward 
>> proxy that inspect TLS handshake between client and server then allow 
>> the connection only when following two requirements are met:
>>     1. The server address must be in our whitelist, and the server 
>> must provide a correct server certificate during TLS handshake
>>     2. The client must provide a client certificate during TLS handshake.
>> And the certificate's subject must be in our whitelist
>> I've set up the ssl_bump according to this page:
>> http://wiki.squid-cache.org/Features/SslPeekAndSplice. I don't need to 
>> do any bump. I only need to peek then either splice or terminate.
>> My question is - how to inspect the client certificate? And how to 
>> configure an acl for that?
> Current SslBump code does not support client certificate inspection.
> Squid does not know anything about a bumped client certificate.
>> The document is confusing. It explains the peek action as:
>> peek    step1, step2    Receive SNI and client certificate (step1), or
>> server certificate (step2) while preserving the possibility of 
>> splicing the connection. Peeking at the server certificate usually 
>> precludes future bumping of the connection (see Limitations).
>> But client certificate is not sent at step1 during TLS handshake. 
>> Client certificate is sent after server certificate is received and 
>> the sever also send a "Certificate Request" message.
> That is correct. What do you find confusing about the current description? Please suggest improvements or edit the current text.
>> So I guess I need an additional step (step4)?
> Yes, although client certificate inspection should most likely be done during step3 and/or step4, with the current "final" step3 increased to
> step4 or step5.
>> Is there already someone working on this or I need to create by 
>> myself?
> I am not aware of anybody working on the client certificate inspection in SslBump. Please note that correctly handling client certificates during SslBump requires serious development work and that work needs to be done in the unstable SslBump code (e.g., we are currently rewriting handshake parsing code to make it safe and robust).
> HTH,
> Alex.

More information about the squid-users mailing list