On 07/11/2014 10:18 AM, James Lay wrote: > On 2014-07-11 10:14, Alex Rousskov wrote: >> On 07/11/2014 05:43 AM, James Harper wrote: >> >>> Is it possible for squid to intercept and apply acl's to https >>> without actually decrypting and generating certificates etc? The >>> conversation would go something like: >> >>> . Client makes connection to IP 1.2.3.4 >>> . Squid intercepts the connection (but doesn't respond yet) >>> . Squid connects to 1.2.3.4 to obtain the hostname (CN or other >>> identifier) of the certificate [1] >>> . Squid applies ACL rules to the hostname [2] >>> . If the ACL results in a deny then the client connection is dropped [3] >>> . If the ACL results in an allow then a new connection is made to the >>> 1.2.3.4 and squid just blindly proxies the TCP connection >>> >>> [1] I believe certificates can be valid for multiple hostnames, and >>> wildcards, so this would have to be taken into account >>> [2] stream is encrypted, so obviously no access to URL etc >>> [3] dropped, because there isn't much else you can do with it, >>> although maybe at this point a fake cert could be used to supply an >>> "access denied" page? >> >> >> I believe the above is one of the use cases that SSL Peek and Splice >> project aims to address. Look for step2 "peek" and "terminate" actions >> specifically: >> >> http://wiki.squid-cache.org/Features/SslPeekAndSplice >> >> IIRC, both of those actions are supported in the experimental project >> branch, but we have not polished the changes for the official submission >> yet. >> >> https://code.launchpad.net/~measurement-factory/squid/peek-and-splice >> >> >> HTH, >> >> Alex. > > I'd like this as well...how do we get the branch? Thanks. See the URL above. You will need a bzr client to check the code out and development environment to bootstrap the sources and build Squid. Please note that this unofficial trunk-based feature branch is not supported by the Squid Project. Thank you, Alex.
