On 2014-07-11 15:05, Alex Rousskov wrote:
On 07/11/2014 10:18 AM, James Lay wrote:
On 2014-07-11 10:14, Alex Rousskov wrote:
On 07/11/2014 05:43 AM, James Harper wrote:
Is it possible for squid to intercept and apply acl's to https
without actually decrypting and generating certificates etc? The
conversation would go something like:
. Client makes connection to IP 1.2.3.4
. Squid intercepts the connection (but doesn't respond yet)
. Squid connects to 1.2.3.4 to obtain the hostname (CN or other
identifier) of the certificate [1]
. Squid applies ACL rules to the hostname [2]
. If the ACL results in a deny then the client connection is
dropped [3]
. If the ACL results in an allow then a new connection is made to
the
1.2.3.4 and squid just blindly proxies the TCP connection
[1] I believe certificates can be valid for multiple hostnames,
and
wildcards, so this would have to be taken into account
[2] stream is encrypted, so obviously no access to URL etc
[3] dropped, because there isn't much else you can do with it,
although maybe at this point a fake cert could be used to supply
an
"access denied" page?
I believe the above is one of the use cases that SSL Peek and
Splice
project aims to address. Look for step2 "peek" and "terminate"
actions
specifically:
http://wiki.squid-cache.org/Features/SslPeekAndSplice
IIRC, both of those actions are supported in the experimental
project
branch, but we have not polished the changes for the official
submission
yet.
https://code.launchpad.net/~measurement-factory/squid/peek-and-splice
HTH,
Alex.
I'd like this as well...how do we get the branch? Thanks.
See the URL above. You will need a bzr client to check the code out
and
development environment to bootstrap the sources and build Squid.
Please
note that this unofficial trunk-based feature branch is not supported
by
the Squid Project.
Thank you,
Alex.
Thanks Alex...I'll give it a go.
James
