subject:"Re\: \[squid\-users\] explicit forward proxy to server requring client authentication"

Re: [squid-users] explicit forward proxy to server requring client authentication

2016-05-18 Thread Robert W Weaver

>> 18.05.16 3:11, Robert W Weaver пишет:
>>> The issue is I need to connect to a site that requires client
>>> authentication.  Don't want to put the key and cert on each individual
>>> user, so instead want the key and cert on the proxy.
>>> Diagram:

>>> User A ---> Squid S ---> Server B
>>> ^^
>>> |+-- TLS client authentication
>>> +-- cleartext okay

On Wed, 18 May 2016 17:48:26 +1200, Amos Jeffries  
wrote:

> On 18/05/2016 10:05 a.m., Yuri Voinov wrote:
>> 
>> . and a bit below in squid.conf.documented we can see.
>> 
>> # SSL OPTIONS
>> #
>> 
-
>> 
>> #  TAG: sslproxy_client_certificate
>> #Client SSL Certificate to use when proxying https:// URLs
>> #Default:
>> # none
>> 
>> #  TAG: sslproxy_client_key
>> #Client SSL Key to use when proxying https:// URLs
>> #Default:
>> # none
>> 
>> Ta-d!
> 

> You are the one getting it wrong here Yuri :-(

I am celebrating Yuri's ta dah.  The clue to squid.config.documented was 
crucial, and the specific hint to sslproxy_client_* was what was missing.

From S to B is now working properly.  Squid is now in the middle, and is 
performing authentication to server B properly.

> * clientca= is for listening ports. He wants that conectio to be 
cleartext.

> * sslproxy_* directives are for generic DIRECT connections. He wants a
> specific proxy<->server connection to be TLS authenticated.

> For the S<->B connection to use client certificates. cert= and key= on
> the cache_peer directive defining that link are correct.

> But there are twe other details that need to happen for it to work:
> * the server actually challenge for the proxies 'client' cert, and
> * the server trust the CA which signed that cert.

This is happening.  I'd generated a CSR and had the CA that is the "owner" 
of server B sign it for me.  We are cool.

> The world of "not working" is a very big place. We need more details of
> *how* its not working in order to have any guideposts towards what the
> problem actually is. As Yuri used to say a lot, my psychic friend is on
> holiday.

It is now working to an acceptable point, although there is an enhancement 
that would be nice.  Right now,

1.  A connects to S, requests https://B/some/image.png
2.  S connects to B over TLS, performs client authentication, gets 
/some/image.png (or pulls from cache)
3.  A converts to TLS to S, pulls down data.

This is fine, its just that there is an unnecessary encrypt/decrypt 
between A and S.  The connection is inside a controlled data center (on 
the same switch, perhaps on the same ESX host) so I'm not concerned about 
security -- not to mention the cached data isn't especially sensitive. 

So this last bit is just an enhancement, a nice to have.  Its the opposite 
of SSL termination for accelerators, so I suspect its possible, just don't 
know how to do it.

Coffee (or a favorite beverage) all around!

--woody

-- 
Doubt is not a pleasant condition, but certainty is absurd.
-- Voltaire

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] explicit forward proxy to server requring client authentication

2016-05-18 Thread Matus UHLAR - fantomas


On 17.05.16 17:11, Robert W Weaver wrote:

The issue is I need to connect to a site that requires client
authentication.  Don't want to put the key and cert on each individual
user, so instead want the key and cert on the proxy.

Diagram:

User A ---> Squid S ---> Server B
   ^^
   |+-- TLS client authentication
   +-- cleartext okay

I'm able to bump, but the client authentication to server B isn't working.


...of course it's not working. When you bump a connection, you are effectively
doing the MITM attack. The client talks to a proxy and the proxy talks to a
server. Squid can't use clients' certificate because it does not have the
clients' private key (the whole point of SSL is to avoid these situations)

SSL authentication can work between client and proxy, and another one
between proxy and the server.

If you have certification authority, you can create fake clients' key and
authenticate with it, but the server (site) must accept your authority.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
A day without sunshine is like, night.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] explicit forward proxy to server requring client authentication

2016-05-18 Thread Matus UHLAR - fantomas


On 17.05.16 18:10, zodyo wrote:

I have same problem here, client cant login to a server with auth like LDAP
via transparent/static squid.
i have try with lusca and the newer squid 3.5.17


how can this be the same problem? It's very different problem.


when talking about "transparent" proxy, you apparently mean "intercepting"
proxy - client tries to connect to a server, but the connection is
redirected to proxy.

Now, the client can _not_ log onto a proxy, if it believes it connects to
the server, not to the proxy - it does not know there's a proxy.

You must configure proxy (explicitly, or using WPAD protocol) if you want
your clients to authenticate on them.

Or, you must use out-of-band authentication protocol (external program that
will check who is the client, e.g. who is logged on the client computer.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Save the whales. Collect the whole set.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] explicit forward proxy to server requring client authentication

2016-05-17 Thread zodyo

Dear all,

I have same problem here, client cant login to a server with auth like LDAP
via transparent/static squid.
i have try with lusca and the newer squid 3.5.17



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/explicit-forward-proxy-to-server-requring-client-authentication-tp4677617p4677621.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] explicit forward proxy to server requring client authentication

2016-05-17 Thread Yuri Voinov


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
PS. I read the manual out loud. With an expression. Expensive. :-!:-D


18.05.16 3:11, Robert W Weaver пишет:
> Greetings, squid users and devs,
>
> I think this is usual, but I can't find examples, and I can't make it
work. :-)
>
> The issue is I need to connect to a site that requires client
authentication.  Don't want to put the key and cert on each individual
user, so instead want the key and cert on the proxy.
>
> Diagram:
>
> User A ---> Squid S ---> Server B
> ^^
> |+-- TLS client authentication
> +-- cleartext okay
>
> I'm able to bump, but the client authentication to server B isn't
working.  Configured cert and key on S with ssl-bump cert= .. key= ..
but that isn't working.
>
> Is this not possible?
>
> --woody
>
>
> /-- 
> "I used to wish the universe were fair. Then one day it hit me: What if
> the universe were fair? Then all the awful things that happen to us in
> life, would happen because we deserved them. So now I take great pleasure
> in the general hostility and unfairness of things."
> -- Marcus, on Babylon 5/
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXO5YKAAoJENNXIZxhPexGnoQIAKZMTM+BM0OFepgUf6EiegYc
/ppZf32vaoQllYwDO9osOXJaQ9CoViOIIWLyd5G+IkoDFN8H2wXLxOe2T7BGH6+Q
13x4LvBX7ul5y4ESwsnJFrWg7WbhwjXkQs4peLmgNsAj6KiSlLP0cVYU7fQy2qXj
AY0seun4L7UszCNV25hrjbVZGT2qGTyELIFXKwj42vTBx56sMBF5+NcYEDNYPUFF
whh0ykM0VKaoy/LN5JDsFqeb7FkMOEtwEa3dPvtv8xgUTidQiBXqKVIyGCmXcoib
Dv5ONhsjMEES3eh70yxpkQFJd2OoGCpp+kOBxX6ZCgl+iwofWbdRc6NoIqgdJbY=
=27Xu
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] explicit forward proxy to server requring client authentication

2016-05-17 Thread Yuri Voinov


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
. and a bit below in squid.conf.documented we can see.

# SSL OPTIONS
#
-

#  TAG: sslproxy_client_certificate
#Client SSL Certificate to use when proxying https:// URLs
#Default:
# none

#  TAG: sslproxy_client_key
#Client SSL Key to use when proxying https:// URLs
#Default:
# none

Ta-d!


18.05.16 3:11, Robert W Weaver пишет:
> Greetings, squid users and devs,
>
> I think this is usual, but I can't find examples, and I can't make it
work. :-)
>
> The issue is I need to connect to a site that requires client
authentication.  Don't want to put the key and cert on each individual
user, so instead want the key and cert on the proxy.
>
> Diagram:
>
> User A ---> Squid S ---> Server B
> ^^
> |+-- TLS client authentication
> +-- cleartext okay
>
> I'm able to bump, but the client authentication to server B isn't
working.  Configured cert and key on S with ssl-bump cert= .. key= ..
but that isn't working.
>
> Is this not possible?
>
> --woody
>
>
> /-- 
> "I used to wish the universe were fair. Then one day it hit me: What if
> the universe were fair? Then all the awful things that happen to us in
> life, would happen because we deserved them. So now I take great pleasure
> in the general hostility and unfairness of things."
> -- Marcus, on Babylon 5/
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXO5W9AAoJENNXIZxhPexG94UH/AvnmThl9LLLY8WN61iYpMNl
YxemSMMLgw6OkDSuZvZ9m/IW2ErjqYwCgAaRRj8HFeswFYTpEgMz/gRB84JjvZ7k
xY+e2HRPXlFbwiWf/QxU9F5RjRpn3aAE+6Eh2mlae7WKPwcFUFbOmDy2fZOd+/B5
SIFYGnNtySFu7yQt4awIBlSPc0piEAZFn7+Wwis7NenRcsugkOO2hfCG95Yj3Htm
7OCvlBZvh/sDY4yguFgFNlDYt/0ux6LmTrkGHrNRgWWgtqesRdLSg2cAG+Xoh/ns
IILv3YSiTB9l8b80o3Jlp0dIPU0Y6d6B2ZBvVW9HOzXCI8uswYqIKGTT6qiBZSI=
=uzzn
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] explicit forward proxy to server requring client authentication

2016-05-17 Thread Yuri Voinov


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 


18.05.16 3:11, Robert W Weaver пишет:
> Greetings, squid users and devs,
>
> I think this is usual, but I can't find examples, and I can't make it
work. :-)
>
> The issue is I need to connect to a site that requires client
authentication.  Don't want to put the key and cert on each individual
user, so instead want the key and cert on the proxy.
>
> Diagram:
>
> User A ---> Squid S ---> Server B
> ^^
> |+-- TLS client authentication
> +-- cleartext okay
>
> I'm able to bump, but the client authentication to server B isn't
working.  Configured cert and key on S with ssl-bump cert= .. key= ..
but that isn't working.
Because these parameters is for bump, from squid to server. Not for
client certificate.
>
> Is this not possible?
You doing it wrong.

When we read squid.conf.documented, a bit below we can see:

#   clientca=File containing the list of CAs to use when
#requesting a client certificate.
#

>
> --woody
>
>
> /-- 
> "I used to wish the universe were fair. Then one day it hit me: What if
> the universe were fair? Then all the awful things that happen to us in
> life, would happen because we deserved them. So now I take great pleasure
> in the general hostility and unfairness of things."
> -- Marcus, on Babylon 5/
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXO5T2AAoJENNXIZxhPexGzrwH/2Sk8ins4kzXjWX55mvE10nh
HSd4T5e4inQihmPlV6xPB/+HugHcBU1Zuxi9Mmy/BuvB1axMW7BRfC+COSenxpaI
4eekoPx4ndlW7s6vxkzlnHIfjgI0Y0TLYL3/f+15DdlXfduqai17GHT58t3yrhO7
GnskQVYrQ7Rje2MzmQ/bfmEBZjGRFYFbwnceCnkXxG1P42aBqLF0GLuuHhKAbsEm
IGnfkXlvhmlTsG3i4+ZDaVRku6QzsChpp1hjAkF+slZJ3IogTq5Dgym3kbnQXrYE
2Jjqrri3Stw7xWRheVFF4JlMtgii3HzSCMGcsdON9WpGvDRvOu+wwPNxBWXUtGE=
=uJQV
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] explicit forward proxy to server requring client authentication

Re: [squid-users] explicit forward proxy to server requring client authentication

Re: [squid-users] explicit forward proxy to server requring client authentication

Re: [squid-users] explicit forward proxy to server requring client authentication

Re: [squid-users] explicit forward proxy to server requring client authentication

Re: [squid-users] explicit forward proxy to server requring client authentication

Re: [squid-users] explicit forward proxy to server requring client authentication

7 matches

Site Navigation

Mail list logo

Footer information