Re: [squid-users] Client Certificate Authentication

   Hi Amos and list members,

>> Reading the available information in the Internet I'm not sure if
>> this is possible or not.
>
> It is. Though not easily.

   Ok

> Squid https_port can accept forward proxy traffic as easily as
> reverse-proxy traffic. The difficulty comes when you find out that none
> of the popular browsers actually open HTTPS connections to proxies. An
> stunnel wrapper is needed to apply the SSL bit from the users box to the
> Squid.

   I didnt know this. Might it be that they are confused and that they
might be using Kerberos or something like that that in essence is based
in certificates?

>> I have also seen SSLBump that seems in that topic.
>
> Nope, this is MITM on HTTPS. No per-user certificates involved.

   Ok

>> BTW, I would like the proxy to use User's certificate when
>> authenticating against other (external) servers.
>
> It cannot. The SSL traffic which follows a certificate CANNOT be
> generated without the secret keys associated with the certificate. Squid
> does not have this information and can only be configured to use one set
> of keys for all DIRECT outgoing traffic.
>
> What you have instead is a certificate authorizing Squid to open
> connections to external places plus some ACl rules in squid.conf
> limiting which clients are allowed to go via HTTPS to those places.
> Those external places see Squid as the client software even with regular
> HTTP traffic.

   Mmmm, I have seen commercial products that state they are able to
analize SSL traffic with a MITM attack. I understand this is of course a
security concern by itself by I thought this products were doing this,
Might it be they are using a generic certificate for all of them?

   Very thankful from your replies. Regards

-- 
Jaime Nebrera - jnebrera_at_eneotecnologia.com
Consultor TI - ENEO Tecnologia SL
C/ Manufactura 2, Edificio Euro, Oficina 3N
Mairena del Aljarafe - 41927 - Sevilla
Telf.- 955 60 11 60 / 619 04 55 18