[squid-users] Transparent SSL proxy w/ client-side certificates (rephrased)

From: Damon Miller <dmiller_at_cloudswitch.com>
Date: Mon, 1 Feb 2010 09:14:57 -0500

Hello again. I apologize for the duplicate topic but I've hit a dead end.
I'm hoping that a simpler question will be easier to answer so here goes:

Is it possible to transparently proxy TLS traffic through Squid when the
target server requires a client-side certificate for authentication?

This works as expected when Squid is operating in non-transparent mode.
When I switch to transparent mode, however, Squid doesn't request a
certificate from the client and as a result the server-side handshake fails.
(Standard SSL traffic flows correctly after I accept the name mismatch
complaints from the browser.)

I've tried to understand the handshake process but I can't determine if it's
possible to transparently proxy this or if Squid just doesn't support it at
the moment. Specifically, it seems that CertificateVerify requires the
client to sign a message to show it possesses the private key associated
with the provided certificate. This doesn't seem inconsistent with
transparent proxying, as Squid could simply impersonate the target server,
collect the signature from the client, and relay it back to the server. Or
am I missing something obvious?

Thanks in advance,

Damon

Received on Mon Feb 01 2010 - 14:15:24 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 02 2010 - 12:00:03 MST