On 11/08/18 05:02, rahman wrote: > Hi ,Please let me know squid supports two way ssl authentication.Please > confirm if we can have an application server connection to remote server via > NATed squid proxy. The remote server requires client authentication > (SSLMutual Auth)? If yes, please guide on how to set it up.
No. Squid does/should support two-way TLS authentication. However, when NAT is involved the clients very likely do not permit it to happen for all the exact same reasons that NAT breaks all types of authentication: * the client does not know that it is talking to the proxy. NAT is interception and TLS is explicitly designed to prevent interception. Two-way authentication is even more strictly forbidding than regular one-way authentication in TLS. Any client worth using *will not* send security credentials at any level to a upstream proxy which is not supposed to be there. The client connected to origin server and will only send credentials appropriate for that origin. The proxy does not have access to private key(s) of the origin. So cannot generate nor verify any authentication token (ie client certificate) which requires that private key. The best a proxy can do is replace the origin keys with proxy keys and hope the client is a) not verifying properly, or b) trusts the proxy based on those new keys alone. (This what SSL-Bump does). Amos _______________________________________________ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
