[squid-users] optional verification of clients?
Antonio SJ Musumeci
trapexit at spawn.link
Fri Nov 1 12:17:37 UTC 2019
On 11/1/2019 2:32 AM, Amos Jeffries wrote:
> On 1/11/19 9:19 am, Antonio SJ Musumeci wrote:
>> Is there a way to do something similar to NGINX's "ssl_verify_client
>> optional;"?
>
>
> Set sslflags=DELAYED_AUTH on the http(s)_port line.
>
> Though why you would want to slow every TLS connection setup with KBs of
> certificates pushed in both directions then "dropped on the floor" is
> beyond me.
>
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
The docs indicated that DELAYED_AUTH isn't implemented and doesn't seem
to work on 4.8. If I enable it it acts as if no certs are passed and the
http_access user_cert acl I setup which works fine when not using
DELAYED_AUTH does not seem to trigger the verification.
Regardless, the point is to create an "anonymous" setup. Not all clients
have, need, or can provide certs. With NGINX setting verify to optional
I can verify iff they are provided allowing me to convert no certs into
a generic guest / anonymous account and entitle separately.
If I understand DELAYED_AUTH's behavior this isn't going to get me that.
I need to be able to tell if the cert was provided. If verification is
just delayed till when the acl is processed that doesn't help unless
there is an acl I'm missing that indicates a cert was provided. The
ssl_error acl values all imply existence.
More information about the squid-users
mailing list