[squid-dev] Squid supports two-ssl auth as mated squid proxy

Amos Jeffries squid3 at treenet.co.nz
Sun Aug 12 18:31:05 UTC 2018


On 11/08/18 05:02, rahman wrote:
> Hi ,Please let me know squid supports two way ssl authentication.Please
> confirm if we can have an application server connection to remote server via
> NATed squid proxy. The remote server requires client authentication
> (SSLMutual Auth)? If yes, please guide on how to set it up.


No.

Squid does/should support two-way TLS authentication.

However, when NAT is involved the clients very likely do not permit it
to happen for all the exact same reasons that NAT breaks all types of
authentication:

 * the client does not know that it is talking to the proxy.

NAT is interception and TLS is explicitly designed to prevent
interception. Two-way authentication is even more strictly forbidding
than regular one-way authentication in TLS.


Any client worth using *will not* send security credentials at any level
to a upstream proxy which is not supposed to be there. The client
connected to origin server and will only send credentials appropriate
for that origin.
 The proxy does not have access to private key(s) of the origin. So
cannot generate nor verify any authentication token (ie client
certificate) which requires that private key.

The best a proxy can do is replace the origin keys with proxy keys and
hope the client is a) not verifying properly, or b) trusts the proxy
based on those new keys alone. (This what SSL-Bump does).

Amos


More information about the squid-dev mailing list