[squid-users] Allowing User Certificate Authentication with SSL Bump

Justin Cook justinglencook at gmail.com
Wed Apr 28 20:36:05 UTC 2021 

Unfortunately the peeking only logs the fqdn and no subdirectories, which
doesnt meet our logging requirements for security :(.  It sounds like there
isn't a way to have squid do both currently, I do appreciate the
information though!

On Wed, Apr 28, 2021 at 12:40 PM Alex Rousskov <
rousskov at measurement-factory.com> wrote:

> On 4/27/21 6:23 PM, Justin Cook wrote:
> > In this case we're not looking to authenticate the user themselves with
> > the squid server but with the destination web server, does that change
> > the scope?
>
> * If you do need to bump TLS connections:
>
> Yes, certificate authentication with an origin server is a different
> problem. If Squid does not possess the client certificate key, then
> Squid cannot both bump the TLS client connection (i.e. become the client
> from the origin server point of view) and keep the old client from the
> origin server point of view.
>
> In this case, this is not a technical limitation of the current Squid
> implementation like "TLS inside TLS"; it is a protocol-level conflict
> that no implementation can resolve. TLS design makes
> faking/impersonating the authenticating client impossible without
> leaking the client key to the proxy.
>
> If you can refactor so that the origin server trusts Squid instead of
> the client, and Squid authenticates the TLS client, then we will be back
> to the earlier "TLS inside TLS" problem (not to mention client
> changes/complications), so this kind of refactoring is unlikely to be
> the right way forward.
>
>
> * If you only need to peek at TLS connections:
>
> You should be able to keep client certificate authentication. If Squid
> cannot keep that while peeking at the TLS client or the origin server,
> then there is a Squid bug somewhere.
>
>
> HTH,
>
> Alex.
>
>
> > On Tue, Apr 27, 2021 at 10:57 AM Alex Rousskov wrote:
> >
> >     On 4/27/21 1:33 PM, Justin Cook wrote:
> >     > We are running into a situation where we are unable to fully
> >     > authenticate our users to an internal tooling service that requires
> >     > certificate authentication as part of its login process, when going
> >     > through squid forward proxy with SSL bump enabled.
> >
> >     SslBump does not support "TLS inside TLS" configurations, which is
> what
> >     you get when you combine certificate-based proxy authentication
> (which
> >     requires an https_port working in a forward proxy mode) with SslBump
> >     (which, for an https_port, currently requires an interception proxy
> >     mode).
> >
> >     It is possible to add support for "TLS inside TLS", but it requires a
> >     serious development effort.
> >
> >
> https://wiki.squid-cache.org/SquidFaq/AboutSquid#How_to_add_a_new_Squid_feature.2C_enhance.2C_of_fix_something.3F
> >
> >
> >     HTH,
> >
> >     Alex.
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210428/c2caa5fe/attachment.htm>

More information about the squid-users mailing list