On 05/14/2015 12:37 AM, Amos Jeffries wrote:
Yes the second option, not the particular machine, but the FQDN
(i.e.<http://www.cooking.com> )
# get TLS SNI details etc
ssl_bump peek all
# some get rejected
acl blocked ssl:server_name .example.com
ssl_bump reject blocked
# the rest allowed without decrypting
ssl_bump splice all
When is the TLS SNI information made available by the client?
They send it or they dont. Nothign you or we can do about it.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
One Follow up question.
You said "They send it or they don't. Nothing you or we can do about
it." Are you referring to that we don't have control if they send it or
not, or there is nothing we can do if they don't?
My question is, is there some way to either reject the conection, or do
a full SSL bump the connection for further examnation if the TLS SNI
information isn't present? From my understanding all modern browsers
should be sending the TLS SNI information, and the SSL fallback has been
disabled by default on them except for Windows IE. So blocking
connections that fail to give TLS SNI information doesn't appear to be a
problem except for people using outdated devices.
Casey
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
