Is it possible for squid to intercept and apply acl's to https without actually decrypting and generating certificates etc? The conversation would go something like: . Client makes connection to IP 1.2.3.4 . Squid intercepts the connection (but doesn't respond yet) . Squid connects to 1.2.3.4 to obtain the hostname (CN or other identifier) of the certificate [1] . Squid applies ACL rules to the hostname [2] . If the ACL results in a deny then the client connection is dropped [3] . If the ACL results in an allow then a new connection is made to the 1.2.3.4 and squid just blindly proxies the TCP connection [1] I believe certificates can be valid for multiple hostnames, and wildcards, so this would have to be taken into account [2] stream is encrypted, so obviously no access to URL etc [3] dropped, because there isn't much else you can do with it, although maybe at this point a fake cert could be used to supply an "access denied" page? The main thing I would find this useful for is simply for logging. I've checked the docs but https_port appears to require a certificate, which isn't what I want. Thanks James
