[squid-users] Fwd: Squid authentication on the origin server during SslBumping

Alexei Mayanov piphonom at gmail.com
Mon Dec 28 14:34:51 UTC 2015


Hello!
Sorry if my question is repeated, but I didn't find any answer.
We have the remote web server where only authenticated users have
access to it. Authentication is made by X509 certificates.
I want that  authentication to remote web server will be transparent
for our local network users. For this I'm trying to setup Squid in
transparent mode with SSL bumping.
Is it possible to setup Squid to authenticate himself on the remote
origin by X509 certificate?

I try to setup Squid 3.5.12 to make SSL bumping and authenticate
himself on the origin by the X509 certificate. But unsuccessfull.
There is part of my test config for ssl bumping:

#bumping
https_port 3131 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/home/user/squiddata/myCA.pem
ssl_bump peek all
ssl_bump bump all
sslcrtd_program /usr/lib/squid/ssl_crtd -s /home/user/squiddata/ssl_db
-M 4MB
sslcrtd_children 5
sslproxy_client_certificate /home/user/squiddata/client.crt          #
certificate to authenticate server on the Origin. Is it right?
sslproxy_client_key /home/user/squiddata/.key
 # apropreate key
sslproxy_cafile /etc/ssl/certs/ca-certificates.crt
       # CAs bundle
acl SSLERR ssl_error X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
sslproxy_cert_error allow SSLERR
sslproxy_cert_error deny all

But I get the following error:

Error negotiating SSL on FD 12: error:1407743E:SSL
routines:SSL23_GET_SERVER_HELLO:tlsv1 alert inappropriate fallback
(1/-1/0)
1450974176.611     45 192.168.1.114 TAG_NONE/200 0 CONNECT <remote
ip>:443 - ORIGINAL_DST/<remote ip> -
Error negotiating SSL connection on FD 10: error:140A1175:SSL
routines:SSL_BYTES_TO_CIPHER_LIST:inappropriate fallback (1/-1)

Seems remote server can't authenticate Squid.

SSL bumping with only remote server verification works well.

Thanks for advance.


More information about the squid-users mailing list