Using client certificate for all connection

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Using client certificate for all connection

Juande
Hi

I want to configure squid so every request through the proxy get client certificate authenticated.

I need some automatic software audit tools to access to a server that uses client certificates to access to its contents.

Any suggestions?

BR
Juan
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Using client certificate for all connection

Antony Stone
On Thursday 30 March 2017 at 18:55:09, Juande wrote:

> Hi
>
> I want to configure squid so every request through the proxy get client
> certificate authenticated.
>
> I need some automatic software audit tools to access to a server that uses
> client certificates to access to its contents.

Are you saying that you want all client requests, to any server, to be
authenticated by Squid (or a helper) for the client certificate?

Or are you saying that all requests to a specific server are required to be
authenticated by client certificate, and Squid is supposed to supply this
certificate (because the client itself cannot)?


Antony.

--
"The tofu battle I saw last weekend was quite brutal."

 - Marija Danute Brigita Kuncaitis

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Using client certificate for all connection

Eliezer Croitoru
In reply to this post by Juande
As far my understanding goes squid doesn't have this function yet.
Maybe if you will put haproxy(not sure) infront of squid you might be able to achieve your goal.

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]



-----Original Message-----
From: squid-users [mailto:[hidden email]] On Behalf Of Juande
Sent: Thursday, March 30, 2017 7:55 PM
To: [hidden email]
Subject: [squid-users] Using client certificate for all connection

Hi

I want to configure squid so every request through the proxy get client certificate authenticated.

I need some automatic software audit tools to access to a server that uses client certificates to access to its contents.

Any suggestions?

BR
Juan



--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Using-client-certificate-for-all-connection-tp4681942.html
Sent from the Squid - Users mailing list archive at Nabble.com.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Using client certificate for all connection

Juande
In reply to this post by Antony Stone
Half and half. I need a way to client certificate authorize the requests from my analyzer software that does not support certificate authentication, but does support using a proxy.

So I need that squid provides the certificate for all requests to all servers. We have testing certificates that work in many servers, so I can use the same certificate to authenticate in all of them.

Im already doing that with Owasp ZAP proxy, but I need a command line only proxy to keep it running on my testing machine, and I thought that a versatile proxy like squid would have this option.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Using client certificate for all connection

Amos Jeffries
Administrator
In reply to this post by Eliezer Croitoru
On 31/03/2017 2:55 p.m., Eliezer  Croitoru wrote:
> As far my understanding goes squid doesn't have this function yet.
> Maybe if you will put haproxy(not sure) infront of squid you might be able to achieve your goal.
>

It depends on exactly what is wanted as to how they are configured. But
Squid does have support for client certificates on all TLS connections.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Using client certificate for all connection

Amos Jeffries
Administrator
In reply to this post by Juande
On 31/03/2017 9:39 p.m., Juande wrote:
> Half and half. I need a way to client certificate authorize the requests from
> my analyzer software that does not support certificate authentication, but
> does support using a proxy.
>
> So I need that squid provides the certificate for all requests to all
> servers. We have testing certificates that work in many servers, so I can
> use the same certificate to authenticate in all of them.

For Squid-3 releases use:
 <http://www.squid-cache.org/Doc/config/sslproxy_client_certificate/>
 <http://www.squid-cache.org/Doc/config/sslproxy_client_key/>

For Squid-4 and later those have become the cert= and key= options for:
 <http://www.squid-cache.org/Doc/config/tls_outgoing_options/>


Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Using client certificate for all connection

Eliezer Croitoru
In reply to this post by Amos Jeffries
For Incoming and outgoing  connections?
IE I want the only the users which their certificates are in a file will be able to use the proxy?
The other side is that squid as a client will posses and use a client side certificate.
Which of the above is possible on latest stable(3.5)?

Thanks,
Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]


-----Original Message-----
From: squid-users [mailto:[hidden email]] On Behalf Of Amos Jeffries
Sent: Sunday, April 2, 2017 10:48 AM
To: [hidden email]
Subject: Re: [squid-users] Using client certificate for all connection

On 31/03/2017 2:55 p.m., Eliezer  Croitoru wrote:
> As far my understanding goes squid doesn't have this function yet.
> Maybe if you will put haproxy(not sure) infront of squid you might be able to achieve your goal.
>

It depends on exactly what is wanted as to how they are configured. But
Squid does have support for client certificates on all TLS connections.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Using client certificate for all connection

Amos Jeffries
Administrator
On 2/04/2017 8:59 p.m., Eliezer Croitoru wrote:
> For Incoming and outgoing  connections?

Yes.

> IE I want the only the users which their certificates are in a file will be able to use the proxy?
> The other side is that squid as a client will posses and use a client side certificate.
> Which of the above is possible on latest stable(3.5)?

Same things that have been possible since about Squid-2.1 or whenever
SSL support was added.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Using client certificate for all connection

Matus UHLAR - fantomas
>> IE I want the only the users which their certificates are in a file will be able to use the proxy?
>> The other side is that squid as a client will posses and use a client side certificate.
>> Which of the above is possible on latest stable(3.5)?

On 04.04.17 03:03, Amos Jeffries wrote:
>Same things that have been possible since about Squid-2.1 or whenever
>SSL support was added.

iirs this was not supported by browsers, does any support ssl-proxy
connections?
--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Boost your system's speed by 500% - DEL C:\WINDOWS\*.*
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Using client certificate for all connection

Alex Rousskov
On 04/03/2017 09:06 AM, Matus UHLAR - fantomas wrote:
> iirs this was not supported by browsers, does any support ssl-proxy
> connections?

Yes, IIRC, FireFox and Chrome (at least) support SSL connections to
proxies, but configuration of that feature is "hidden". You should be
able to find several emails discussing details on this and IETF HTTP WG
mailing lists.

There are other, specialized browser-like clients/kiosks/etc. that
support SSL connections to proxies. FWIW, the latest Curl also supports
it (<plug>Factory implemented that Curl feature</plug>) so you can test
the functionality from the command line.


HTH,

Alex.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Using client certificate for all connection

Amos Jeffries
Administrator
In reply to this post by Matus UHLAR - fantomas
On 4/04/2017 3:06 a.m., Matus UHLAR - fantomas wrote:

>>> IE I want the only the users which their certificates are in a file
>>> will be able to use the proxy?
>>> The other side is that squid as a client will posses and use a client
>>> side certificate.
>>> Which of the above is possible on latest stable(3.5)?
>
> On 04.04.17 03:03, Amos Jeffries wrote:
>> Same things that have been possible since about Squid-2.1 or whenever
>> SSL support was added.
>
> iirs this was not supported by browsers, does any support ssl-proxy
> connections?

You recall correct - for explicit/forward proxy Chrome and Firefox have
limited support when PAC is used, or some advanced hacks like command
line options. But generally browsers are refusing to talk to proxies
securely. Squid supports it already though.

Reverse-proxy, non-browser traffic, cache_peer and Squid->server
connections are where it really comes in handy.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Using client certificate for all connection

Juande
In reply to this post by Amos Jeffries
Hi Amos, thanks for answering.

Im using Squid 3.5.12

I tried using the line:

sslproxy_client_certificate  /home/ubuntu/Documents/cert.pem

The pem was generated from .pfx using,

openssl pkcs12 -in cert.pfx -out cert.pem -nodes

So it should contain the private key.

But my server still asking me for the certificate.^

Any ideas?
Loading...