[squid-users] Allowing User Certificate Authentication with SSL Bump

Alex Rousskov rousskov at measurement-factory.com
Wed Apr 28 19:40:54 UTC 2021

On 4/27/21 6:23 PM, Justin Cook wrote:
> In this case we're not looking to authenticate the user themselves with
> the squid server but with the destination web server, does that change
> the scope?

* If you do need to bump TLS connections:

Yes, certificate authentication with an origin server is a different
problem. If Squid does not possess the client certificate key, then
Squid cannot both bump the TLS client connection (i.e. become the client
from the origin server point of view) and keep the old client from the
origin server point of view.

In this case, this is not a technical limitation of the current Squid
implementation like "TLS inside TLS"; it is a protocol-level conflict
that no implementation can resolve. TLS design makes
faking/impersonating the authenticating client impossible without
leaking the client key to the proxy.

If you can refactor so that the origin server trusts Squid instead of
the client, and Squid authenticates the TLS client, then we will be back
to the earlier "TLS inside TLS" problem (not to mention client
changes/complications), so this kind of refactoring is unlikely to be
the right way forward.

* If you only need to peek at TLS connections:

You should be able to keep client certificate authentication. If Squid
cannot keep that while peeking at the TLS client or the origin server,
then there is a Squid bug somewhere.



> On Tue, Apr 27, 2021 at 10:57 AM Alex Rousskov wrote:
>     On 4/27/21 1:33 PM, Justin Cook wrote:
>     > We are running into a situation where we are unable to fully
>     > authenticate our users to an internal tooling service that requires
>     > certificate authentication as part of its login process, when going
>     > through squid forward proxy with SSL bump enabled.
>     SslBump does not support "TLS inside TLS" configurations, which is what
>     you get when you combine certificate-based proxy authentication (which
>     requires an https_port working in a forward proxy mode) with SslBump
>     (which, for an https_port, currently requires an interception proxy
>     mode).
>     It is possible to add support for "TLS inside TLS", but it requires a
>     serious development effort.
>     https://wiki.squid-cache.org/SquidFaq/AboutSquid#How_to_add_a_new_Squid_feature.2C_enhance.2C_of_fix_something.3F
>     HTH,
>     Alex.

More information about the squid-users mailing list