On 06/10/15 23:21, Walter H. wrote: > Hello, > > can you please provide an example of how to use this in squid.conf #create external acl checker that returns "ERR" or "OK" based on cert data sent to it external_acl_type checkIfHTTPS children-max=20 concurrency=20 negative_ttl=3600 ttl=3600 grace=90 %SRC %DST %PORT %ssl::>sni /usr/local/bin/confirm_https.pl acl is_ssl external checkIfHTTPS #only bump SSL transactions that return "OK" ssl_bump bump is_ssl Then the script is passed srcIP, dstHostname|dstIP (depends on whether this is a CONNECT or transparent proxy), port (probably 443) and the SNI value (if present) My script does a bunch of checks, and now includes downloading the server cert, scraping it for CRL data, downloads the CRL file and compares the cert's serial number against that CRL - hence discovering if it's revoked or not The script can differentiate between non-SSL, SSL, HTTPS and HTTPS-to-whitelisted-sites,HTTPS-with-self-signed, HTTPS-with-untrusted-CA, HTTPS-with-client-cert, HTTPS-with-CRL-check - in all these "failure" cases it returns "ERR" - which causes squid to NOT bump the connection and instead splice it. End result is squid only bumps sessions it can successfully and safely bump, and applications like Gtalk, Skype, and regex-whitelisted sites work without human intervention - leaving only cert pinning as the only manual process (because these cannot be detected - only the application "knows" if it's pinned) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
