[squid-users] Squid 4.3: SSL Bump fails to send client certificate

Alex Rousskov rousskov at measurement-factory.com
Wed Oct 31 21:38:44 UTC 2018


On 10/30/18 10:59 PM, Sid wrote:

> Sid: I took wireshark on Squid server (centOS 7); I took 2 wiresharks
> between Client & Squid and then between Squid & Server. I can see client
> being sent fake cert generated by Squid & client responds with "Client key
> Exchange", "Change cipher spec", "Encrypted Handshake Message". 

Sounds good. Does the generated fake certificate contain the right
origin server name?


> But I can't see actual client certificate sent to Squid.

Why do you expect the client to send a client certificate to Squid? In
most deployments, TLS servers do not request client certificates and,
hence, TLS clients do not send client certificates. IIRC, you did not
configure your Squid to request a client certificate from the client?

Or is there a terminology problem where "client certificate sent to
Squid" means something other than "an x509 certificate requested by a
TLS server and sent to that server by a TLS client during TLS
handshake"? Please note that Squid is a TLS server in this context.


> Is there a way to decypt in Wireshark. 

Yes, there are several ways, including giving Wireshark your Squid's
private certificate key. Sorry, I do not have detailed instructions.
Please note that the encrypted part probably does not matter -- in most
cases prior to TLS v1.3, it is the plain text Hellos that are important
when it comes to bumping the connection.


> In Wireshark between Squid & Server I can see Squid responding
> with "61 Alert (Level: Fatal, Description: Internal Error)".

> Alex: Is your Squid configured to trust those internal CAs? If not, Squid
> would not be able to validate the server certificate. 

> Sid: I have added those chained certificates as following in squid.conf
> tls_outgoing_options cafile=/usr/local/squid/etc/UCAppsCA.pem
> sslproxy_foreign_intermediate_certs /usr/local/squid/etc/UCAppsCA.pem

Perhaps the alert may not be related to certificate validation. If you
want to verify whether UCAppsCA.pem is enough to trust the origin
server, you can use "curl" or "openssl s_client" tools for a test. They
should fail to validate the server when not configured to use
UCAppsCA.pem and they should succeed otherwise.


HTH,

Alex.


More information about the squid-users mailing list