[squid-users] explicit forward proxy to server requring client authentication

[Matus UHLAR - fantomas]

On 17.05.16 17:11, Robert W Weaver wrote:
>The issue is I need to connect to a site that requires client
>authentication.  Don't want to put the key and cert on each individual
>user, so instead want the key and cert on the proxy.
>
>Diagram:
>
>User A ---> Squid S ---> Server B
>        ^            ^
>        |            +-- TLS client authentication
>        +-- cleartext okay
>
>I'm able to bump, but the client authentication to server B isn't working.

...of course it's not working. When you bump a connection, you are effectively
doing the MITM attack. The client talks to a proxy and the proxy talks to a
server. Squid can't use clients' certificate because it does not have the
clients' private key (the whole point of SSL is to avoid these situations)

SSL authentication can work between client and proxy, and another one
between proxy and the server.

If you have certification authority, you can create fake clients' key and
authenticate with it, but the server (site) must accept your authority.

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
A day without sunshine is like, night.