Block and allow connections by CA

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Block and allow connections by CA

Patrícia Sousa
Hello,

I was researching a proxy service for access control, and I'm wondering if this service is capable of doing what I want.

I would like to have an IoT device that only receives and sends requests to and from certain devices that belong and are authenticated by a specific certificate authority. Is it possible to block all other connections or only allow connections from devices that belong to a specific CA?

Thank you,
Best regards

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Block and allow connections by CA

Alex Rousskov
On 12/19/19 5:56 AM, Patrícia Sousa wrote:

> I would like to have an IoT device that only receives and sends requests
> to and from certain devices that belong and are authenticated by a
> specific certificate authority. Is it possible to block all other
> connections or only allow connections from devices that belong to a
> specific CA?

Yes, I believe it is possible:

* Squid can check (via an https_port configuration option) that a TLS
client possesses a certificate signed by a specific CA.

* Squid can check (via a ca_cert ACL) that a TLS server uses a
certificate signed by a specific CA. This ACL can be applied during
SslBump step3 processing, but there may be a way to sneak it in without
using SslBump (or such a way can be added by modifying Squid).

If ca_cert options are not enough, Squid can check other server
certificate properties via a custom certificate validation daemon (which
you would have to write). Or one could add support for more properties
to the ca_cert ACL.

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users