-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 16/11/2014 2:12 p.m., James Harper wrote: > I've written a little helper to do ssl callouts to determine if > the server is running ssl at all (eg not tunnelling over ssl), and > also to be able to do limited ACL on CN/SAN. The main limitation is > the way larger organisations will often have one SSL cert that > covers many URLS (eg google cert also covers google.com, > youtube.com etc). > > Currently I need to do it like: > > external_acl_type cert_callout %DST %PORT > /usr/local/squid/libexec/ext_cert_callout_acl > > acl banks dstdomain .bigbank.com acl banks dstdomain > .otherbank.com > > acl is_ssl external cert_callout IS_SSL acl banks_callout external > cert_callout SAN .bigbank.com acl banks_callout external > cert_callout SAN .otherbank.com > > ssl_bump splice !is_ssl ssl_bump splice banks ssl_bump splice > banks_callout ssl_bump bump all > > But I'd rather not have to maintain the banks and the > banks_callout lists separately when they are identical. Apart from > sticking them in a separate file, are there any shortcuts I can > take? Return a tag=X parameter from your helper and use the note ACL type in ssl_bump. However, ssl_bump is a "fast" type ACL and as such is not really capable of running external ACL tests. > > Also, it would be good if squid could make use of the CN from the > certificate for logging, so instead of "CONNECT <IP>:<PORT>", I > could log "CONNECT <CN>:<PORT>", which would really clean up the > logs (apart from the cases mentioned above). I think I can use tag= > or log=, but that would preclude me from using them for anything > else (I'm not using them for anything else at the moment but > still...) <http://wiki.squid-cache.org/SquidFaq/AboutSquid#How_to_add_a_new_Squid_feature.2C_enhance.2C_of_fix_something.3F> Also note that for splice the server cert details are probably not available. If the IP address reverse-DNS points at any of your "banks" ACL entries the connection will be spliced without even seeing the ClientHello details. Amos -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUaQurAAoJELJo5wb/XPRjHncH/3c15UBEzppVaR3l9+HuBADp WEQMPntl+wi8Mmekzo5zZPxbvvPEORHENpXuZQvZNT0iXfZwYmaJnAdgOp+LlMgh 6iA4F3HFOkg7geXvcgef8e7HVJ8XaszsMMycoppg1NMhm6FlxnQIkLbGBjvWC2i0 2GDD7kV7uR44IHwoAjhnhE4JiHUgbrfSA8Cy1NynZ73X3bY//kcY5iKx9LN7IhIc ks7hw69KODPbqPyFZ+H9axbGlDNIz3O9Q/1I1OzgW23V/7m3UPk1zXapsfmCK17u 8GRJRv9nDOZmOe8KAC7FsRN47I7e9tAmvikJrjDd9vm5G4zIdUM+ycgPpKKoY1Q= =70hO -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
