Is there a scalable way in SSL-Bump forwarding client's certificate to server?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Is there a scalable way in SSL-Bump forwarding client's certificate to server?

GeorgeShen
Hi,

I've seen some post saying there is a way to configure the squid proxy to
get the client certificate. But to be scalable (assume it has many https
clients) I'm wonder if the proxy can ask for the client certificate and
modify that certificate in negotiating the session with the server; just
like the proxy dynamically generate the certificate to the client
representing the server. I understand in the current timeline, the proxy is
negotiate with the server before accepting the tls hello from client.

thanks.
- George



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Is there a scalable way in SSL-Bump forwarding client's certificate to server?

Alex Rousskov
On 12/10/19 10:08 PM, GeorgeShen wrote:

> I've seen some post saying there is a way to configure the squid proxy to
> get the client certificate.

Yes, look for "client certificate" in your squid.conf.documented.


> But to be scalable (assume it has many https clients)

If you are implying that Squid would check whether the client has sent a
particular client certificate copy, then this is not how certificate
authentication works. Squid would validate whether the client has sent a
certificate _signed_ by the configured client CA certificate. A single
CA certificate can be used to sign (i.e. issue) millions of client
certificates.


> I'm wonder if the proxy can ask for the client certificate and
> modify that certificate in negotiating the session with the server;

It is possible in theory but Squid cannot do that. There could be some
very special environments where such a scheme would make sense, but keep
in mind that the server would have to share its client CA certificate
(or equivalent) with Squid for the scheme to work.


> I understand in the current timeline, the proxy is
> negotiate with the server before accepting the tls hello from client.

In most SslBump setups, Squid negotiates with the server _after_ seeing
the TLS client Hello.

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Is there a scalable way in SSL-Bump forwarding client's certificate to server?

GeorgeShen
>Yes, look for "client certificate" in your squid.conf.documented.

Ok. for the 'clientca=' and 'tls-cafile=', is the purpose for proxy to
verify the client cert again this list before allow the connection to go
further? or it can use those client certificate also for other things?

Also the RFC TLS 1.2 says client send certificate only if the server asks
it, here it means the proxy. Does this configure 'clientca=' signal all the
client to send their certificate if it has one?

thanks.
- George



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Is there a scalable way in SSL-Bump forwarding client's certificate to server?

Amos Jeffries
Administrator
On 11/12/19 6:48 pm, GeorgeShen wrote:
>> Yes, look for "client certificate" in your squid.conf.documented.
>
> Ok. for the 'clientca=' and 'tls-cafile=', is the purpose for proxy to
> verify the client cert again this list before allow the connection to go
> further? or it can use those client certificate also for other things?

There is no "or" about it. Both.

Any client certificate given must verify.

Valid client certificates can be used for things other than verification.


>
> Also the RFC TLS 1.2 says client send certificate only if the server asks
> it, here it means the proxy. Does this configure 'clientca=' signal all the
> client to send their certificate if it has one?
>

Yes. Exactly so.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Is there a scalable way in SSL-Bump forwarding client's certificate to server?

Alex Rousskov
On 12/11/19 7:10 AM, Amos Jeffries wrote:
> On 11/12/19 6:48 pm, GeorgeShen wrote:
>> Ok. for the 'clientca=' and 'tls-cafile=', is the purpose for proxy to
>> verify the client cert again this list before allow the connection to go
>> further?

> Any client certificate given must verify.

And, by default, any TLS client not providing a certificate will be denied.


>> Does this configure 'clientca=' signal all the
>> client to send their certificate if it has one?

By default, the setting implies that a client has to send a client
certificate. If a client does not have a certificate, it cannot
successfully negotiate a TLS connection with a clientca-enabled https_port.

Squid has options that can change the above default behavior.

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users