[squid-users] Squid 4.3: SSL Bump fails to send client certificate

Alex Rousskov rousskov at measurement-factory.com
Thu Nov 1 16:40:57 UTC 2018


On 10/31/18 10:55 PM, Sid wrote:

> Actually in my case Server is looking for a certificate to be sent by
> client; How to configure Squid to get
> this certificate from client for mutual authentication?

It is technically impossible to meaningfully forward a client
certificate to the origin server when _bumping_ connections, and, hence,
Squid cannot support such forwarding. You should be able to configure a
bumping Squid to send its own client certificate to the origin server
though; see tls_outgoing_options cert=... key=....

The question is, can you give Squid the same client certificate as used
by your client?

* If that client certificate is the same for all from-Squid traffic, you
have access to the client certificate key, and you can store that key
securely on the Squid server, then the answer is probably "yes". It
would not be true "forwarding", but the origin server will get the
certificate it expects, and Squid will be able to send the right TLS
CertificateVerify message to prove that Squid has the private key.

* Otherwise, the answer is probably "no", and you cannot use client
certificate-based authentication with the origin server while bumping
connections. Whether it is possible to support that by enhancing Squid
would depend on which precondition(s) in the first bullet are not
satisfied. For example, it is possible to enhance Squid to select from a
list of client certificates when bumping a server connection.


HTH,

Alex.


More information about the squid-users mailing list