On 11/1/2019 8:37 PM, Amos Jeffries wrote:
Oh well. That was the closest Squid has. I was hoping the library would
sent cert request but not verify the clients response. So the details
would be available for logging etc as handshake parameters.
If that client cert request/delivery is not working then the only
alternative would be two proxy ports, one with client certificates
required and one without. Which does not match what you are trying to
achieve.
If this is of particular importance patch/PR are welcome. I will keep it
in mind for future TLS improvements, but there is no guarantees that way.
<https://wiki.squid-cache.org/SquidFaq/AboutSquid#How_to_add_a_new_Squid_feature.2C_enhance.2C_of_fix_something.3F>
<https://wiki.squid-cache.org/DeveloperResources>
I've done a quick hack to remove SSL_VERIFY_FAIL_IF_NO_PEER_CERT from
Ssl::SetupVerifyCallback in ssl/support.cc. It *appears* that this
accomplishes what I want. I'm seeing client cert info when provided and
not when I don't (in acl user_cert, logging, external_acl_handler, etc.)
Anyone know if there may be some gotchas that I could be missing? Some
data structures or behavior expecting the VERIFY_FAIL_IF_NO_PEER_CERT
behavior? If it sounds safe I'll look into turning this into a proper
sslflags option.
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
