On 11/08/18 05:02, rahman wrote:
> Hi ,Please let me know squid supports two way ssl authentication.Please
> confirm if we can have an application server connection to remote server via
> NATed squid proxy. The remote server requires client authentication
> (SSLMutual Auth)? If yes, please guide on how to set it up.


No.

Squid does/should support two-way TLS authentication.

However, when NAT is involved the clients very likely do not permit it
to happen for all the exact same reasons that NAT breaks all types of
authentication:

 * the client does not know that it is talking to the proxy.

NAT is interception and TLS is explicitly designed to prevent
interception. Two-way authentication is even more strictly forbidding
than regular one-way authentication in TLS.


Any client worth using *will not* send security credentials at any level
to a upstream proxy which is not supposed to be there. The client
connected to origin server and will only send credentials appropriate
for that origin.
 The proxy does not have access to private key(s) of the origin. So
cannot generate nor verify any authentication token (ie client
certificate) which requires that private key.

The best a proxy can do is replace the origin keys with proxy keys and
hope the client is a) not verifying properly, or b) trusts the proxy
based on those new keys alone. (This what SSL-Bump does).

Amos
_______________________________________________
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

Reply via email to