Seems to me it would be more useful as an external ACL so that a decision could be made based on other factors eg src or dstdomain whether to deny or allow the un-bumpable connection.
On Sun, Jan 4, 2015 at 4:29 PM, Yuri Voinov <yvoinov@xxxxxxxxx> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
As I can see, we have two major problems with SSL Bump now.
1. Stupid apps and it's stupid developers - like ICQ and other stupid IM - which is hope 443 port is never be blocked due to using for logons/internet banking etc.
This stupid way broke standards (?) and make us crazy. Now single solution is catch them manually and pass it without bumping. This is the simplest problem. And I hope it will be solved in core - i.e. in Squid directly.
2. SSL Pinned sites. We cannot do with them anything excluding sniff it and pass by IP without bump.
First problems seems to solve easy. Either by helper, or by squid - no matter. It's really simple. Just check SSL cert on server side - and make decision - to bump, or not to bump.
The second problem seems difficult and now I can't see any reasonable solution, excluding sniffer/manual add to acl.
Any ideas? Will be write helper?
WBR, Yuri
05.01.2015 2:17, Douglas Davenport пишет:
> I saw a very similar feature in ufdbGuard which is a URL filter implemented as a Squid Redirector. They have a feature which probes the destination server for a valid HTTPS cert in parallel to the user's connection and terminates it if it turns out not to be a valid HTTPS cert. Their code is open source, maybe this could be helpful in creating such a helper?
>
> http://www.urlfilterdb.com/home.html
>
> On Sat, Jan 3, 2015 at 3:45 AM, Yuri Voinov <yvoinov@xxxxxxxxx <mailto:yvoinov@xxxxxxxxx>> wrote:
>
>
> Term "HTTPS" often uses as "Any connect over 443 port"....
>
> 03.01.2015 13:59, Jason Haar пишет:
> > On 01/01/15 00:11, James Harper wrote:
> >> The helper connects to the IP:port and tries to obtain the
> certificate, and then caches the result (in an sqlite database). If it
> can't do so within a fairly short time it returns failure (but keeps
> trying a bit longer and caches it for next time). Alternatively if the
> IP used to be SSL but is now timing out it returns the previously cached
> value. Negative results are cached for an increasing amount of time each
> time it fails, on the basis that it probably isn't SSL.
> > That sounds great James! I'd certainly like to take a look at it too
>
> > However, you say "SSL" - did you mean "HTTPS"? ie discovering a ip:port
> > is a IMAPS server doesn't really help squid talk to it - surely you want
> > to discover HTTPS servers - and everything else should be
> > pass-through/splice?
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx>
> http://lists.squid-cache.org/listinfo/squid-users
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBAgAGBQJUqbC7AAoJENNXIZxhPexGwwkH/j8XR2fQ4v/r3M2zFuDuhVsP
JZMM93IvZrGYRzJjAmmwg7ZUoYdwWWEaXoY6GygO+RdZESWfPvh00cSsxwRKfmvm
2s7sLDKlPnfUsf9fyWnihCtJg9hETZTsvUqK9I+iopiM1DHq/qwX3Pjkb2e2T45u
JuqU5ySBZPEt6G1gRn/+F2EyHdhWpa9OOtfeTAt4/oaJIuLoHP7855fif/1eg59U
QlISZkLjDcL4DqEVM+9UJh9TSN+dawj/Ks+3b+MT8sA/xvVdOyqhLMqnm4MPadSv
yvK5nQWW4rkfHOJ1zwWq3hAMLjCIXjY4q1NxNQAxdK5ESZvszecvXg3JMKo/THw=
=Ygen
-----END PGP SIGNATURE-----
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users