[squid-users] Is there a scalable way in SSL-Bump forwarding client's certificate to server?

Alex Rousskov rousskov at measurement-factory.com
Wed Dec 11 13:45:29 UTC 2019

On 12/11/19 7:10 AM, Amos Jeffries wrote:
> On 11/12/19 6:48 pm, GeorgeShen wrote:
>> Ok. for the 'clientca=' and 'tls-cafile=', is the purpose for proxy to
>> verify the client cert again this list before allow the connection to go
>> further?

> Any client certificate given must verify.

And, by default, any TLS client not providing a certificate will be denied.

>> Does this configure 'clientca=' signal all the
>> client to send their certificate if it has one?

By default, the setting implies that a client has to send a client
certificate. If a client does not have a certificate, it cannot
successfully negotiate a TLS connection with a clientca-enabled https_port.

Squid has options that can change the above default behavior.


More information about the squid-users mailing list