On 20/01/2013 01:24, Amos Jeffries wrote:
On 19/01/2013 3:37 a.m., vincent viard wrote:
Hello,
I ask you about the feasibility of achieving an validation server
certificates used during session establishment SSL/TLS in HTTPS at the
level of SQUID proxy ?
The idea is not to break the SSL session with a man-in-the-middle (ex.
SSLBump), but to authenticate (and to authorize) the target with a
white or black list of CAs. In other words, realize with Squid, the
first validation of the SSL handshake logically made by the client
browser on the certificate of server.
In advance, thank you and good day.
Vince
Please see http://wiki.squid-cache.org/Features/SslServerCertValidator
This feature is merged and will be in 3.4 series when it is released.
To use it now you need to build the 3.HEAD Squid sources.
Can squid handle a slightly simpler case where we want to restrict
CONNECT access to servers which meet/fail to match a certain SSL cname?
eg I want to block facebook access, but without sslbump, so I allow SSL
proxying, but deny connections to servers with an SSL cname *.facebook.com?
Thanks
Ed W
