[squid-users] Squid 4.3: SSL Bump fails to send client certificate

Sid SIDDH05 at gmail.com
Thu Nov 1 04:55:35 UTC 2018


Thank you Alex.

>Sounds good. Does the generated fake certificate contain the right origin
server name? 
Sid: Yes, It does contain correct IP Address in Server name sent by client.
 

>Why do you expect the client to send a client certificate to Squid? In most
deployments, TLS servers do not request client certificates and, hence, TLS
clients do not send client certificates. IIRC, you did not configure your
Squid to request a client certificate from the client? 

>Or is there a terminology problem where "client certificate sent to 
Squid" means something other than "an x509 certificate requested by a 
TLS server and sent to that server by a TLS client during TLS 
handshake"? Please note that Squid is a TLS server in this context. 

Sid: Actually in my case Server is looking for a certificate to be sent by
client; it isn't a Web Server but SBC looking for a certificate sent by
a client to grant further voice & video call. How to configure Squid to get
this certificate from client for mutual authentication?

>Perhaps the alert may not be related to certificate validation. If you want
to verify whether UCAppsCA.pem is enough to trust the origin server, you can
use "curl" or "openssl s_client" tools for a test. They should fail to
validate the server when not configured to use UCAppsCA.pem and they should
succeed otherwise. 

Sid: I have tried following which shows "Verify return code: 0 (ok)":
openssl s_client -connect <Server FQDN>:443 -CAfile
/usr/local/squid/etc/UCAppsCA.pem






--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html


More information about the squid-users mailing list