Re: [squid-users] Client Certificate Authentication

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 15 Mar 2011 13:02:56 +1300

 On Mon, 14 Mar 2011 13:43:38 +0100, Jaime Nebrera wrote:
> Dear all,
>
> This is my first email to the list in a looong time so please
> forgive if I'm saying something stupid.
>
> I want to authenticate users using a digital certificate they will
> already own for "forwarding proxy".
>
> That is, the browsers will use squid to navigate the internet (not
> reverse proxy), do some ACL (white / black list validating the user
> against a LDAP server) and some antivirus filtering (iCap or
> similar).
>
> Reading the available information in the Internet I'm not sure if
> this is possible or not.

 It is. Though not easily.

>
> As reverse proxy there is no problem, but as a forwarding proxy I
> have seem some replies but dont have for sure if its possible or not.

 Squid https_port can accept forward proxy traffic as easily as
 reverse-proxy traffic. The difficulty comes when you find out that none
 of the popular browsers actually open HTTPS connections to proxies. An
 stunnel wrapper is needed to apply the SSL bit from the users box to the
 Squid.

>
> I have also seen SSLBump that seems in that topic.

 Nope, this is MITM on HTTPS. No per-user certificates involved.

>
> BTW, I would like the proxy to use User's certificate when
> authenticating against other (external) servers.

 It cannot. The SSL traffic which follows a certificate CANNOT be
 generated without the secret keys associated with the certificate. Squid
 does not have this information and can only be configured to use one set
 of keys for all DIRECT outgoing traffic.

 What you have instead is a certificate authorizing Squid to open
 connections to external places plus some ACl rules in squid.conf
 limiting which clients are allowed to go via HTTPS to those places.
 Those external places see Squid as the client software even with regular
 HTTP traffic.

 Amos
Received on Tue Mar 15 2011 - 00:03:00 MDT

This archive was generated by hypermail 2.2.0 : Tue Mar 15 2011 - 12:00:01 MDT