On 10/22/2015 05:59 PM, Leon wrote: > In regard to the document, I suggest to change the description of > peek action to "Receive SNI in Client Hello message (step1), or > server certificate (step2) ...".
I see what you mean now. Done. Thank you, Alex. > -----Original Message----- > From: Alex Rousskov [mailto:rouss...@measurement-factory.com] > Sent: Thursday, October 22, 2015 3:41 PM > To: squid-users@lists.squid-cache.org > Cc: Leon <wangxuz...@gmail.com> > Subject: Re: [squid-users] How to inspect client certificate in ssl_bump > > On 10/22/2015 03:53 PM, Leon wrote: > >> I'm using Squid 3.5. What I'm going to do is setting up a forward >> proxy that inspect TLS handshake between client and server then allow >> the connection only when following two requirements are met: >> >> 1. The server address must be in our whitelist, and the server >> must provide a correct server certificate during TLS handshake >> 2. The client must provide a client certificate during TLS handshake. >> And the certificate's subject must be in our whitelist >> >> I've set up the ssl_bump according to this page: >> http://wiki.squid-cache.org/Features/SslPeekAndSplice. I don't need to >> do any bump. I only need to peek then either splice or terminate. >> >> My question is - how to inspect the client certificate? And how to >> configure an acl for that? > > > Current SslBump code does not support client certificate inspection. > Squid does not know anything about a bumped client certificate. > > >> The document is confusing. It explains the peek action as: >> peek step1, step2 Receive SNI and client certificate (step1), or >> server certificate (step2) while preserving the possibility of >> splicing the connection. Peeking at the server certificate usually >> precludes future bumping of the connection (see Limitations). > >> But client certificate is not sent at step1 during TLS handshake. >> Client certificate is sent after server certificate is received and >> the sever also send a "Certificate Request" message. > > That is correct. What do you find confusing about the current description? > Please suggest improvements or edit the current text. > > >> So I guess I need an additional step (step4)? > > Yes, although client certificate inspection should most likely be done during > step3 and/or step4, with the current "final" step3 increased to > step4 or step5. > > >> Is there already someone working on this or I need to create by >> myself? > > I am not aware of anybody working on the client certificate inspection in > SslBump. Please note that correctly handling client certificates during > SslBump requires serious development work and that work needs to be done in > the unstable SslBump code (e.g., we are currently rewriting handshake parsing > code to make it safe and robust). > > > HTH, > > Alex. > _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
