[squid-users] Fwd: Squid authentication on the origin server during SslBumping

Alex Rousskov rousskov at measurement-factory.com
Mon Dec 28 16:14:17 UTC 2015


On 12/28/2015 07:34 AM, Alexei Mayanov wrote:
> Is it possible to setup Squid to authenticate himself on the remote
> origin by X509 certificate?

I do not know for sure, but I suspect that:

1. SslBump transactions aside, one may configure Squid to authenticate
itself to an origin server using an X509 certificate mentioned in
squid.conf. If this is not possible, it is a missing feature or a bug.

2. It is possible to splice user-to-Squid and Squid-to-origin
connections while preserving user-to-origin authentication using an X509
certificate provided by the user. If this is not possible, it is a
missing feature or a bug.

3. It is possible to bump user-to-Squid and Squid-to-origin connections
while Squid authenticates itself to the origin server using an X509
certificate mentioned in squid.conf. If this is not possible, it is a
missing feature or a bug.

4. It is impossible to bump user-to-Squid and Squid-to-origin
connections while preserving user-to-origin authentication using an X509
certificate provided by the user. Bumping does not (and cannot)
impersonate an SSL client protected by a client certificate.

Which variant are you after?


> There is part of my test config for ssl bumping:
> 
> ssl_bump peek all
> ssl_bump bump all

This combination usually does not work. Look for "prevents future
bumping" and Limitations at

  http://wiki.squid-cache.org/Features/SslPeekAndSplice


HTH,

Alex.



More information about the squid-users mailing list