<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">20.02.15 15:34, Ilya Karpov пишет:<br>
</div>
<blockquote
cite="mid:1C8751EC-13A0-4650-B4D9-D395FE69E721@gmail.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<div class="">I’m not sure that using transparent sslbump squid
will understand how to use client certificate for mutual
authentication.</div>
</blockquote>
As you configure it.<br>
<blockquote
cite="mid:1C8751EC-13A0-4650-B4D9-D395FE69E721@gmail.com"
type="cite">
<div class="">At least without transparent ssl bump it doesn’t.</div>
</blockquote>
Sure. <br>
<blockquote
cite="mid:1C8751EC-13A0-4650-B4D9-D395FE69E721@gmail.com"
type="cite">
<div class="">Did you try to use trspr-sslbump for client auth?
How does squid pick right client certificate for certain host?</div>
</blockquote>
Client auth on HTTPS sites is not function of transparent proxy. And
yes, we don't use client serts on our transparent proxy. We simple
bypass this sites directly without bumping. Let's client's do it
yourself. This is not our responsibility.<br>
<br>
I see two ways to do that as you wish.<br>
<br>
1. Add sites, required client-certs auth to exclude bump list. I.e.,
exclude proxy from chain.<br>
2. Configure proxy to use client certs with sites requires it using
ACL's.<br>
<br>
<blockquote
cite="mid:1C8751EC-13A0-4650-B4D9-D395FE69E721@gmail.com"
type="cite"><br class="">
<div apple-content-edited="true" class="">
<span class="Apple-style-span" style="border-collapse: separate;
color: rgb(0, 0, 0); font-family: Helvetica; font-style:
normal; font-variant: normal; font-weight: normal;
letter-spacing: normal; line-height: normal; orphans: 2;
text-align: -webkit-auto; text-indent: 0px; text-transform:
none; white-space: normal; widows: 2; word-spacing: 0px;
-webkit-border-horizontal-spacing: 0px;
-webkit-border-vertical-spacing: 0px;
-webkit-text-decorations-in-effect: none;
-webkit-text-size-adjust: auto; -webkit-text-stroke-width:
0px; ">
<div class="">Best regards,</div>
<div class="">Ilya Karpov</div>
<div class=""><a moz-do-not-send="true"
href="mailto:karpoftea@gmail.com" class="">karpoftea@gmail.com</a></div>
<div class=""><br class="">
</div>
</span>
</div>
<br class="">
<div>
<blockquote type="cite" class="">
<div class="">20 февр. 2015 г., в 12:24, Yuri Voinov <<a
moz-do-not-send="true" href="mailto:yvoinov@gmail.com"
class="">yvoinov@gmail.com</a>> написал(а):</div>
<br class="Apple-interchange-newline">
<div class="">
<meta content="text/html; charset=utf-8"
http-equiv="Content-Type" class="">
<div bgcolor="#FFFFFF" text="#000000" class=""> Transparent
SSL Bump interception, eh?<br class="">
<br class="">
<div class="moz-cite-prefix">20.02.15 15:14, Ilya Karpov
пишет:<br class="">
</div>
<blockquote
cite="mid:93616B9A-9EE9-4FE8-8A5B-70F9EC3FA773@gmail.com"
type="cite" class="">
<meta http-equiv="Content-Type" content="text/html;
charset=utf-8" class="">
<div class="">Hi guys,</div>
<div class="">can anyone suggest solution to make
following scenario work using squid:</div>
<div class=""><br class="">
</div>
<div class="">step1. </div>
<div class="">Client(actually server application) calls <a
moz-do-not-send="true" href="http://example/"
class="">HTTP://example</a>.org squid via proxy.</div>
<div class=""> |</div>
<div class="">V </div>
<div class="">step2. </div>
<div class="">Proxy(Squid) understands that all calls to
<a moz-do-not-send="true" href="http://example.org/"
class="">HTTP://example.org</a> should be changed to
<a moz-do-not-send="true" href="https://example.org/"
class="">HTTPS://example.org</a>, trusts CA that
uses <a moz-do-not-send="true"
href="http://example.org/" class="">example.org</a> and
knows client certificate to use for https client
authentication</div>
<div class="">
<div class=""> |</div>
<div class="">V </div>
</div>
<div class="">step3.</div>
<div class="">Origin(some server in internet) accepts
https request, authenticates client, returns response</div>
<div class=""><br class="">
</div>
<div class="">The main aim is to make client know
nothing about https complexity (storing
certificates/keys, knowing specific algorithms etc),
and make squid manage this things.</div>
<div class=""><br class="">
</div>
<br class="">
<div apple-content-edited="true" class=""> <span
class="Apple-style-span" style="border-collapse:
separate; border-spacing: 0px;">
<div class="">Best regards,</div>
<div class="">Ilya Karpov</div>
<div class=""><a moz-do-not-send="true"
href="mailto:karpoftea@gmail.com" class="">karpoftea@gmail.com</a></div>
<div class=""><br class="">
</div>
</span><br class="Apple-interchange-newline">
</div>
<br class="">
<br class="">
<fieldset class="mimeAttachmentHeader"></fieldset>
<br class="">
<pre class="" wrap="">_______________________________________________
squid-users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a>
</pre>
</blockquote>
<br class="">
</div>
_______________________________________________<br class="">
squid-users mailing list<br class="">
<a moz-do-not-send="true"
href="mailto:squid-users@lists.squid-cache.org" class="">squid-users@lists.squid-cache.org</a><br
class="">
<a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a><br
class="">
</div>
</blockquote>
</div>
<br class="">
</blockquote>
<br>
</body>
</html>