[squid-users] Is there a scalable way in SSL-Bump forwarding client's certificate to server?
Alex Rousskov
rousskov at measurement-factory.com
Wed Dec 11 13:45:29 UTC 2019
On 12/11/19 7:10 AM, Amos Jeffries wrote:
> On 11/12/19 6:48 pm, GeorgeShen wrote:
>> Ok. for the 'clientca=' and 'tls-cafile=', is the purpose for proxy to
>> verify the client cert again this list before allow the connection to go
>> further?
> Any client certificate given must verify.
And, by default, any TLS client not providing a certificate will be denied.
>> Does this configure 'clientca=' signal all the
>> client to send their certificate if it has one?
By default, the setting implies that a client has to send a client
certificate. If a client does not have a certificate, it cannot
successfully negotiate a TLS connection with a clientca-enabled https_port.
Squid has options that can change the above default behavior.
Alex.
More information about the squid-users
mailing list