[squid-users] Block and allow connections by CA

Alex Rousskov rousskov at measurement-factory.com
Thu Dec 19 20:47:55 UTC 2019

On 12/19/19 5:56 AM, PatrĂ­cia Sousa wrote:

> I would like to have an IoT device that only receives and sends requests
> to and from certain devices that belong and are authenticated by a
> specific certificate authority. Is it possible to block all other
> connections or only allow connections from devices that belong to a
> specific CA?

Yes, I believe it is possible:

* Squid can check (via an https_port configuration option) that a TLS
client possesses a certificate signed by a specific CA.

* Squid can check (via a ca_cert ACL) that a TLS server uses a
certificate signed by a specific CA. This ACL can be applied during
SslBump step3 processing, but there may be a way to sneak it in without
using SslBump (or such a way can be added by modifying Squid).

If ca_cert options are not enough, Squid can check other server
certificate properties via a custom certificate validation daemon (which
you would have to write). Or one could add support for more properties
to the ca_cert ACL.


More information about the squid-users mailing list