Re: [squid-users] Client Certificate Authentication

From: Jaime Nebrera <jnebrera_at_eneotecnologia.com>
Date: Tue, 15 Mar 2011 11:04:47 +0100

   Hi Amos,

>> I didnt know this. Might it be that they are confused and that they
>> might be using Kerberos or something like that that in essence is based
>> in certificates?
>
> What do you mean by "they" being confused? You earlier said you were
> setting this up. My answer was based around your question.

   Yes, we are setting this on our own but on premise of certain specs.
I was asked to see if it was possible to do the same "through the proxy"
as other team is doing with end "web sites"

> They likely do it similar or the same way Squid does. With MITM and
> generating a new fake certificate. You asked for ways to do it *without*
> MITM, and relaying on a specific existing client certificate set at the
> browser end of the transaction. The fake certs used in MITM do not pass
> validation such as a server checking for specific client certs does.

   Mmm, I understand this is only doable with a MITM deployment as in
essence you would be forging the original user. I raised the question
that this was a security concern bby itself, but I believe would be the
only way.

-- 
Jaime Nebrera - jnebrera_at_eneotecnologia.com
Consultor TI - ENEO Tecnologia SL
C/ Manufactura 2, Edificio Euro, Oficina 3N
Mairena del Aljarafe - 41927 - Sevilla
Telf.- 955 60 11 60 / 619 04 55 18
Received on Tue Mar 15 2011 - 10:04:57 MDT

This archive was generated by hypermail 2.2.0 : Tue Mar 15 2011 - 12:00:01 MDT