On 12/07/2014 12:24 a.m., James Harper wrote: >> >> Is it possible for squid to intercept and apply acl's to https >> without actually decrypting and generating certificates etc? The >> conversation would go something like: >> > > It actually almost works if I put a dummy cert on the https_port > config line with ssl-bump, but then use none for ssl_bump. In order > to parse the dstdomain, I assume squid must be getting the cert cn > first, right? Unfortunately it seems to throw the details it gathered > away after checking what bump to use as all I get in there is the > destination IP. Logging %ssl::>cert_subject just shows "-". http:/www.squid-cache.org/Doc/config/logformat/: %ssl::>cert_subject log the Subject field of a SSL certificate ... ... *received from the client.* PS. MITM starts when your description needs to use the word "intercept" or one of its variations. Amos
