[squid-users] Allowing User Certificate Authentication with SSL Bump
justinglencook at gmail.com
Wed Apr 28 20:36:05 UTC 2021
Unfortunately the peeking only logs the fqdn and no subdirectories, which
doesnt meet our logging requirements for security :(. It sounds like there
isn't a way to have squid do both currently, I do appreciate the
On Wed, Apr 28, 2021 at 12:40 PM Alex Rousskov <
rousskov at measurement-factory.com> wrote:
> On 4/27/21 6:23 PM, Justin Cook wrote:
> > In this case we're not looking to authenticate the user themselves with
> > the squid server but with the destination web server, does that change
> > the scope?
> * If you do need to bump TLS connections:
> Yes, certificate authentication with an origin server is a different
> problem. If Squid does not possess the client certificate key, then
> Squid cannot both bump the TLS client connection (i.e. become the client
> from the origin server point of view) and keep the old client from the
> origin server point of view.
> In this case, this is not a technical limitation of the current Squid
> implementation like "TLS inside TLS"; it is a protocol-level conflict
> that no implementation can resolve. TLS design makes
> faking/impersonating the authenticating client impossible without
> leaking the client key to the proxy.
> If you can refactor so that the origin server trusts Squid instead of
> the client, and Squid authenticates the TLS client, then we will be back
> to the earlier "TLS inside TLS" problem (not to mention client
> changes/complications), so this kind of refactoring is unlikely to be
> the right way forward.
> * If you only need to peek at TLS connections:
> You should be able to keep client certificate authentication. If Squid
> cannot keep that while peeking at the TLS client or the origin server,
> then there is a Squid bug somewhere.
> > On Tue, Apr 27, 2021 at 10:57 AM Alex Rousskov wrote:
> > On 4/27/21 1:33 PM, Justin Cook wrote:
> > > We are running into a situation where we are unable to fully
> > > authenticate our users to an internal tooling service that requires
> > > certificate authentication as part of its login process, when going
> > > through squid forward proxy with SSL bump enabled.
> > SslBump does not support "TLS inside TLS" configurations, which is
> > you get when you combine certificate-based proxy authentication
> > requires an https_port working in a forward proxy mode) with SslBump
> > (which, for an https_port, currently requires an interception proxy
> > mode).
> > It is possible to add support for "TLS inside TLS", but it requires a
> > serious development effort.
> > HTH,
> > Alex.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the squid-users