Hello all. I have a question regarding the use of client-side certificates
through a transparent SSL proxy (Squid or otherwise). Is this possible?
I've configured Squid 3.1.0.15 as a transparent SSL proxy and that works.
Browsers complain about name mismatches but that's expected without dynamic
cert generation. However, when I attempt to visit a URL which requires
authentication via a client certificate, the resulting page from Squid shows
a "Read Error" with the following text:
The system returned: [No Error]
An error condition occurred while reading data from the network. Please
retry your request.
I don't see anything in Squid's logfiles nor do I see anything on the
console. I'm running Squid in the foreground and I'm passing passing 'd9'
for debugging information.
This is certainly not an ideal configuration but at the moment I can't
change the parameters of the problem. My task is to determine whether it is
possible to make such a configuration work. (I do have the luxury of
disregarding the untrusted authority and name mismatch errors on the
client.)
It seems plausible that since Squid is effectively a "man in the middle", it
could acquire the client certificate and relay that to the target to
complete the request. Whether this is currently feasible in Squid is a
separate matter but at a high level I can't think of an obvious problem with
the basic approach. Again, I would rather not be in the business of
intercepting SSL in the first place but at the moment I can't change that.
Thanks in advance for any thoughts.
Regards,
Damon
This archive was generated by hypermail 2.2.0 : Sat Jan 30 2010 - 12:00:04 MST