[squid-users] optional verification of clients?

Antonio SJ Musumeci trapexit at spawn.link
Tue Nov 5 16:05:55 UTC 2019


On 11/1/2019 8:37 PM, Amos Jeffries wrote:
> Oh well. That was the closest Squid has. I was hoping the library would
> sent cert request but not verify the clients response. So the details
> would be available for logging etc as handshake parameters.
> 
> If that client cert request/delivery is not working then the only
> alternative would be two proxy ports, one with client certificates
> required and one without. Which does not match what you are trying to
> achieve.
> 
> 
> If this is of particular importance patch/PR are welcome. I will keep it
> in mind for future TLS improvements, but there is no guarantees that way.
> <https://wiki.squid-cache.org/SquidFaq/AboutSquid#How_to_add_a_new_Squid_feature.2C_enhance.2C_of_fix_something.3F>
> <https://wiki.squid-cache.org/DeveloperResources>

I've done a quick hack to remove SSL_VERIFY_FAIL_IF_NO_PEER_CERT from 
Ssl::SetupVerifyCallback in ssl/support.cc. It *appears* that this 
accomplishes what I want. I'm seeing client cert info when provided and 
not when I don't (in acl user_cert, logging, external_acl_handler, etc.) 
Anyone know if there may be some gotchas that I could be missing? Some 
data structures or behavior expecting the VERIFY_FAIL_IF_NO_PEER_CERT 
behavior? If it sounds safe I'll look into turning this into a proper 
sslflags option.


More information about the squid-users mailing list