Re: [squid-users] Client Certificate Authentication

From: Jaime Nebrera <jnebrera_at_eneotecnologia.com>
Date: Tue, 15 Mar 2011 13:26:37 +0100

   Hi Amos,

> Ah, well.
> Normal HTTPS "through a proxy" uses a CONNECT tunnel. The encryption
> inside that is end-to-end from client to the website server. The proxy
> itself does not get involved (unless the MITM case is setup, then the
> certificate breakage is the MITM admins problem/fault not yours).

   Yes, I'm aware this works, no problem at all.

   The problem is, they want to identify the user against the proxy too.

   What they are trying to achieve is kind of a SSO system, using a
digital certificate against all resources, both end web system and proxy.

   So it could be said like this.

   1) A user wants to connect to a secure server xyz.com

   2) To do so, it connects first against a proxy server

   3) The proxy server to auth the user ask itself for a digital certificate

   4) The proxy says, ok, you are john smith, as stated in your
certificate. Are you allowed to acces xyz.com? Logg it too.

   5) Client connects to xyz through the proxy using its own certificate

   6) Web server says "Hi John Smith"

   Now, I'm aware this scenario has some problems by itself as the proxy
cant really see inside the packets themselves, only the url. For
example, it wont be able to cache anything nor go through an antivirus.

   In order to be able to see inside the flow itself I guess some MITM
is needed. My question is, if this is still valid more or less, I
understand the asking in the proxy is ok, but guess forging a digital
certificate at the proxy that is still valid at the other end as if it
came from the browser might not. Of course, this would be insecure and
kill quite a bit the poin tof it, but they asked for it.

   So, its the first scenario possible? Is the second one with MITM?

> For the end-to-end use of one certificate yes.

   Sure

  If the system can cope
> with two certs client->Squid and Squid->webserver, then the MITM need
> disappears and the stunnel type setup can be used to clients with a
> separate Squid cert to servers.

   Ok, we could call this third scenario, were you have a single cert
for the proxy machine. As you say, would require stunnel in the browser
side but is doable.

   Then the only doubt would be second scenario with some MITM magic :)

   Very thankful Amos, you are being very helpful :D

-- 
Jaime Nebrera - jnebrera_at_eneotecnologia.com
Consultor TI - ENEO Tecnologia SL
C/ Manufactura 2, Edificio Euro, Oficina 3N
Mairena del Aljarafe - 41927 - Sevilla
Telf.- 955 60 11 60 / 619 04 55 18
Received on Tue Mar 15 2011 - 12:26:41 MDT

This archive was generated by hypermail 2.2.0 : Tue Mar 15 2011 - 12:00:01 MDT