Re: [squid-users] Mutual authentication managed by Squid

Fri, 20 Feb 2015 01:42:13 -0800 


20.02.15 15:34, Ilya Karpov пишет:
I’m not sure that using transparent sslbump squid will understand how to use client certificate for mutual authentication. 
As you configure it.

At least without transparent ssl bump it doesn’t.

Sure.
Did you try to use trspr-sslbump for client auth? How does squid pick right client certificate for certain host?
Client auth on HTTPS sites is not function of transparent proxy. And yes, we don't use client serts on our transparent proxy. We simple bypass this sites directly without bumping. Let's client's do it yourself. This is not our responsibility. 

I see two ways to do that as you wish.


1. Add sites, required client-certs auth to exclude bump list. I.e., 
exclude proxy from chain.

2. Configure proxy to use client certs with sites requires it using ACL's.



Best regards,
Ilya Karpov
karpof...@gmail.com <mailto:karpof...@gmail.com>



20 февр. 2015 г., в 12:24, Yuri Voinov <yvoi...@gmail.com 
<mailto:yvoi...@gmail.com>> написал(а):


Transparent SSL Bump interception, eh?

20.02.15 15:14, Ilya Karpov пишет:

Hi guys,
can anyone suggest solution to make following scenario work using squid:

step1.

Client(actually server application) calls HTTP://example 
<http://example/>.org squid via proxy.

 |
V
step2.

Proxy(Squid) understands that all calls to HTTP://example.org 
<http://example.org/> should be changed to HTTPS://example.org 
<https://example.org/>, trusts CA that uses example.org 
<http://example.org/> and knows client certificate to use for https 
client authentication

 |
V
step3.

Origin(some server in internet) accepts https request, authenticates 
client, returns response



The main aim is to make client know nothing about https complexity 
(storing certificates/keys, knowing specific algorithms etc), and 
make squid manage this things.



Best regards,
Ilya Karpov
karpof...@gmail.com <mailto:karpof...@gmail.com>





_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list

squid-users@lists.squid-cache.org 
<mailto:squid-users@lists.squid-cache.org>

http://lists.squid-cache.org/listinfo/squid-users





_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users






















					Reply via email to