On 6/19/07, Vadim Pushkin <wiskbroom@xxxxxxxxxxx> wrote:
I am only looking to inspect each SSL connection for the purposes of determining if the traffic should be allowed, i.e. non-malicious (not chat, file-transfer, etc).
If you actually want to inspect the protocol inside the SSL, I'm not aware of any free products in this space, but it is a feature of a growing number of commercial products. These all, TMK, assume that you are able to load your own additional trusted root certificate on all clients -- this is trivial in corporations, might be more difficult in a university, and shouldn't be considered by a traditional ISP (back to the privacy implications I mentioned previously).
Can anyone recommend such a product? Also, I should mention, I am not looking to spend alot of money.
Blue Coat street price starts at about $3K. Their ProxySG product supports internet standards including ICAP and ICP, and should be fully capable of participating in a Squid hierarchy (I haven't tested this...yet) as an ICP parent/child/peer. The base license includes IM controls and a 'Is this really SSL?' test, but SSL termination requires an add-on license. Also, their URL categorization engine can accept databases from many of the top censorware vendors (or their own), licensed "per seat".
Are their any plans on the roadmap to do this sort of traffic analysis within Squid?
I'm not aware of any. ICAP doesn't support MITM "CONNECT" tunnel handling, though some ICAP clients will forward the connect "URL" to an ICAP service to be approved or denied, the ICAP standard doesn't allow for looking inside the SSL/TLS conversation. Personally, what I've done is configure Squid to hand off CONNECT sessions to a "parent" proxy supporting SSL inspection: cache_peer ssl1.intranet parent 8008 7 no-query cache_peer ssl2.intranet parent 8008 7 no-query acl CONNECT method CONNECT http_access deny CONNECT !SSL_ports cache_peer_access ssl1.intranet allow CONNECT cache_peer_access ssl2.intranet allow CONNECT cache_peer_access ssl1.intranet deny all cache_peer_access ssl2.intranet deny all never_direct allow CONNECT Kevin
