openssl s_client TLS connection through proxy with clientAuth

0
votes

I'd like to use openssl s_client to open a TLS connection through a proxy (Squid) to an origin server using the CONNECT request method. I am using a client certificate to connect to the proxy server as shown:

openssl s_client -connect my_proxy:4443 -CAfile /etc/ssl/ca/ca.crt -cert /etc/ssl/cert/client.crt -key /etc/ssl/key/client_key.pem

After running the above, connection information prints out fine and then I enter the CONNECT and GET methods, and this works fine:

CONNECT www.google.com:80 HTTP/1.1 Host: www.google.com

HTTP/1.1 200 Connection established

GET /search?q=ip+address HTTP/1.1 Host: www.google.com

HTTP/1.1 200 OK

However, I would really like to be able to establish a TLS (https) connection but I haven't been able to get it to work:

CONNECT www.google.com:443 HTTP/1.1 Host: www.google.com

HTTP/1.1 200 Connection established

GET /search?q=ip+address HTTP/1.1

closed

What am I doing wrong here? Before you say to try OpenSSL 1.1.x which has the -proxy parameter, I've already tried that. Note that the CA cert, client cert and client key on the above command are for the connection to my proxy server, not for the target server (google.com), as shown below with OpenSSL 1.1.0-pre3 (same output if I try to connect to google:443).

openssl s_client -connect google.com:80 -proxy my_proxy:4443 -CAfile /etc/ssl/ca/ca.crt -cert /etc/ssl/cert/client.crt -key /etc/ssl/key/client_key.pem

CONNECTED(00000003)

s_client: HTTP CONNECT failed

no peer certificate available

No client certificate CA names sent SSL handshake has read 0 bytes and written 25 bytes Verification: OK

New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated

I was able to load my client cert, client key, and CA cert into Firefox (all bundled in a pkcs12 file) and am able to connect to various websites through TLS. This should be possible on the command line.

1
httpsslhttpsproxyopenssl
Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See What topics can I ask about here in the Help Center. Perhaps Super User or Unix & Linux Stack Exchange would be a better place to ask. Also see Where do I post questions about Dev Ops?.jww

1 Answers

1
votes

Note that the CA cert, client cert and client key on the above command are for the connection to the proxy server, not for the -connect server."

I doubt that. According to the source -proxy is only used to make the tunnel through the proxy, i.e.

  • makes a TCP connect to the given proxy
  • sends the CONNECT request with the target from -connect argument to the proxy
  • waits for the response of the proxy that the tunnel got established
  • no certificates are involved when creating the tunnel, like it should be

This should be possible on the command line.

This is only possible with the -proxy option. Version of s_client which don't have this option yet can not be used alone to establish an connection through a HTTP proxy because the necessary functionality is simply not implemented. You might try to use s_client together with other tools which will provide the necessary tunnel, like socat or proxytunnel.