[squid-users] Is there a scalable way in SSL-Bump forwarding client's certificate to server?
rousskov at measurement-factory.com
Wed Dec 11 03:20:52 UTC 2019
On 12/10/19 10:08 PM, GeorgeShen wrote:
> I've seen some post saying there is a way to configure the squid proxy to
> get the client certificate.
Yes, look for "client certificate" in your squid.conf.documented.
> But to be scalable (assume it has many https clients)
If you are implying that Squid would check whether the client has sent a
particular client certificate copy, then this is not how certificate
authentication works. Squid would validate whether the client has sent a
certificate _signed_ by the configured client CA certificate. A single
CA certificate can be used to sign (i.e. issue) millions of client
> I'm wonder if the proxy can ask for the client certificate and
> modify that certificate in negotiating the session with the server;
It is possible in theory but Squid cannot do that. There could be some
very special environments where such a scheme would make sense, but keep
in mind that the server would have to share its client CA certificate
(or equivalent) with Squid for the scheme to work.
> I understand in the current timeline, the proxy is
> negotiate with the server before accepting the tls hello from client.
In most SslBump setups, Squid negotiates with the server _after_ seeing
the TLS client Hello.
More information about the squid-users