On 07/11/2014 05:43 AM, James Harper wrote: > Is it possible for squid to intercept and apply acl's to https > without actually decrypting and generating certificates etc? The > conversation would go something like: > . Client makes connection to IP 1.2.3.4 > . Squid intercepts the connection (but doesn't respond yet) > . Squid connects to 1.2.3.4 to obtain the hostname (CN or other identifier) of the certificate [1] > . Squid applies ACL rules to the hostname [2] > . If the ACL results in a deny then the client connection is dropped [3] > . If the ACL results in an allow then a new connection is made to the 1.2.3.4 and squid just blindly proxies the TCP connection > > [1] I believe certificates can be valid for multiple hostnames, and wildcards, so this would have to be taken into account > [2] stream is encrypted, so obviously no access to URL etc > [3] dropped, because there isn't much else you can do with it, although maybe at this point a fake cert could be used to supply an "access denied" page? I believe the above is one of the use cases that SSL Peek and Splice project aims to address. Look for step2 "peek" and "terminate" actions specifically: http://wiki.squid-cache.org/Features/SslPeekAndSplice IIRC, both of those actions are supported in the experimental project branch, but we have not polished the changes for the official submission yet. https://code.launchpad.net/~measurement-factory/squid/peek-and-splice HTH, Alex.
