[squid-users] optional verification of clients?

Amos Jeffries squid3 at treenet.co.nz
Sat Nov 2 00:37:38 UTC 2019


On 2/11/19 1:17 am, Antonio SJ Musumeci wrote:
> On 11/1/2019 2:32 AM, Amos Jeffries wrote:
>> On 1/11/19 9:19 am, Antonio SJ Musumeci wrote:
>>> Is there a way to do something similar to NGINX's "ssl_verify_client
>>> optional;"?
>>
>>
>> Set sslflags=DELAYED_AUTH on the http(s)_port line.
>>
>> Though why you would want to slow every TLS connection setup with KBs of
>> certificates pushed in both directions then "dropped on the floor" is
>> beyond me.
>>
> 
> The docs indicated that DELAYED_AUTH isn't implemented and doesn't seem
> to work on 4.8. If I enable it it acts as if no certs are passed and the
> http_access user_cert acl I setup which works fine when not using
> DELAYED_AUTH does not seem to trigger the verification.
> 

Oh well. That was the closest Squid has. I was hoping the library would
sent cert request but not verify the clients response. So the details
would be available for logging etc as handshake parameters.

If that client cert request/delivery is not working then the only
alternative would be two proxy ports, one with client certificates
required and one without. Which does not match what you are trying to
achieve.


If this is of particular importance patch/PR are welcome. I will keep it
in mind for future TLS improvements, but there is no guarantees that way.
<https://wiki.squid-cache.org/SquidFaq/AboutSquid#How_to_add_a_new_Squid_feature.2C_enhance.2C_of_fix_something.3F>
<https://wiki.squid-cache.org/DeveloperResources>

Amos


More information about the squid-users mailing list