Philipp wrote:
Hi I would like to bump requests to sites with invalid certificates only. Sites that have valid SSL certificates should not be bumped (bump decision based on valitidy of the SSL cert). First, I tried this ACL: acl InvalidCert ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH acl InvalidCert ssl_error X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT acl InvalidCert ssl_error X509_V_ERR_CERT_NOT_YET_VALID acl InvalidCert ssl_error X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD acl InvalidCert ssl_error X509_V_ERR_CERT_HAS_EXPIRED acl InvalidCert ssl_error X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD acl InvalidCert ssl_error X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ssl_bump allow InvalidCert ssl_bump deny all Result: Squid uses CONNECT for https. Interpretation: 'ssl_bump deny all' always matches. Second, I tried this ACL: acl NoSSLError ssl_error SSL_ERROR_NONE ssl_bump deny NoSSLError ssl_bump allow all Result: Squid uses CONNECT for https. Interpretation: 'ssl_bump deny NoSSLError' always matches. Last, I also tried "normal" ACLs such as: ACL whitelisted dstdomain .somedomain.com ssl_bump deny whitelisted ssl_bump allow all This works as expected. If .somedomain.com is https, Squid uses CONNECT. All other https sites are bumped. I am aware of that the ssl_error ACL type is not documented (at least I could not find any). I'm trying this setup with Squid 3.1.0.2. Can this sort of ACL (bump decision based on validity of Cert) be done or is this a bug?
Looks like its probably a bug. Please report it so the sslbump guys can check. Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 Current Beta Squid 3.1.0.2
