I have a public api, call it api.example.com, which is configured for mTLS. I am able to confirm that mTLS is working by using curl https://api.example.com --cert /path/to/cert --key /path/to/key where the "cert" is the client cert and the "key" is the client key.
I am trying to get this to work via Squid so that I don't have to supply the --cert and --key parameters and have other back end processes make the call via some http.get() command.
I have a working Squid configuration without mTLS. To this, I added:
tls_outgoing_options cert=/path/to/cert tls_outgoing_options key=/path/to/key
I then tried
and expected this to work. Instead I get the following output when I use the curl -v option:
Connected to api.example.com port 443 TLSv1.3 (OUT), TLS handshake, Client hello (1): TLSv1.3 (IN), TLS handshake, Server hello (2): TLSv1.2 (IN), TLS handshake Certificate (11): TLSv1.2 (IN), TLS handshake, Server key exchange (12): TLSv1.2 (IN), TLS handshake, Request CERT (13): TLSv1.2 (IN), TLS handshake, Server finished (14): TLSv1.2 (OUT), TLS handshake, Certificate (11): TLSv1.2 (OUT), TLS handshake, Client key exchange (16): TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): TLSv1.2 (OUT), TLS handshake, Finished (20): OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to api.example.com:443 Closing connection
I also tried adding the following to squid.conf based on some research:
ssl_bump server-first all
This made no difference.
Has anyone been able to get Squid to work with mTLS? If so how? I am using Squid version 5.8.