[squid-users] Squid 4.3: SSL Bump fails to send client certificate

Amos Jeffries squid3 at treenet.co.nz
Thu Nov 1 08:49:40 UTC 2018 

On 1/11/18 5:55 PM, Sid wrote:
> Thank you Alex.
> 
>> Sounds good. Does the generated fake certificate contain the right origin
> server name? 
> Sid: Yes, It does contain correct IP Address in Server name sent by client.
>  

Alex asked about *name*. IP address is not part of the considerations
because using a raw-IP is not valid for SNI. Even though having one in
the cert "name" is valid it is not supposed to happen either.

Also by "right" he means that Squid is passing on either the *same* name
value from the client SNI (bumping at step 2) or from the real server
provided certificate (bumping at step 3).


> 
>> Why do you expect the client to send a client certificate to Squid? In most
> deployments, TLS servers do not request client certificates and, hence, TLS
> clients do not send client certificates. IIRC, you did not configure your
> Squid to request a client certificate from the client? 
> 
>> Or is there a terminology problem where "client certificate sent to 
> Squid" means something other than "an x509 certificate requested by a 
> TLS server and sent to that server by a TLS client during TLS 
> handshake"? Please note that Squid is a TLS server in this context. 
> 
> Sid: Actually in my case Server is looking for a certificate to be sent by
> client; it isn't a Web Server but SBC looking for a certificate sent by
> a client to grant further voice & video call. How to configure Squid to get
> this certificate from client for mutual authentication?


Configure clientca= on the http(s)_port directive.
see <http://www.squid-cache.org/Doc/config/http_port/>

IIRC that should work when SSL-Bump functionality re-purposes the
cafile= option which was supposed to be the CA for client certificates.


> 
>> Perhaps the alert may not be related to certificate validation. If you want
> to verify whether UCAppsCA.pem is enough to trust the origin server, you can
> use "curl" or "openssl s_client" tools for a test. They should fail to
> validate the server when not configured to use UCAppsCA.pem and they should
> succeed otherwise. 
> 
> Sid: I have tried following which shows "Verify return code: 0 (ok)":
> openssl s_client -connect <Server FQDN>:443 -CAfile
> /usr/local/squid/etc/UCAppsCA.pem
> 



Amos

More information about the squid-users mailing list