[squid-users] Is there a scalable way in SSL-Bump forwarding client's certificate to server?

Alex Rousskov rousskov at measurement-factory.com
Wed Dec 11 03:20:52 UTC 2019

On 12/10/19 10:08 PM, GeorgeShen wrote:

> I've seen some post saying there is a way to configure the squid proxy to
> get the client certificate.

Yes, look for "client certificate" in your squid.conf.documented.

> But to be scalable (assume it has many https clients) 

If you are implying that Squid would check whether the client has sent a
particular client certificate copy, then this is not how certificate
authentication works. Squid would validate whether the client has sent a
certificate _signed_ by the configured client CA certificate. A single
CA certificate can be used to sign (i.e. issue) millions of client

> I'm wonder if the proxy can ask for the client certificate and
> modify that certificate in negotiating the session with the server;

It is possible in theory but Squid cannot do that. There could be some
very special environments where such a scheme would make sense, but keep
in mind that the server would have to share its client CA certificate
(or equivalent) with Squid for the scheme to work.

> I understand in the current timeline, the proxy is
> negotiate with the server before accepting the tls hello from client.

In most SslBump setups, Squid negotiates with the server _after_ seeing
the TLS client Hello.


More information about the squid-users mailing list