On 10/06/2015 07:18 PM, Jason Haar wrote:
On 06/10/15 23:21, Walter H. wrote:
Hello,
can you please provide an example of how to use this in squid.conf
#create external acl checker that returns "ERR" or "OK" based on cert
data sent to it
external_acl_type checkIfHTTPS children-max=20 concurrency=20
negative_ttl=3600 ttl=3600 grace=90 %SRC %DST %PORT %ssl::>sni
/usr/local/bin/confirm_https.pl
acl is_ssl external checkIfHTTPS
#only bump SSL transactions that return "OK"
ssl_bump bump is_ssl
Then the script is passed srcIP, dstHostname|dstIP (depends on whether
this is a CONNECT or transparent proxy), port (probably 443) and the SNI
value (if present)
My script does a bunch of checks, and now includes downloading the
server cert, scraping it for CRL data, downloads the CRL file and
compares the cert's serial number against that CRL - hence discovering
if it's revoked or not
The script can differentiate between non-SSL, SSL, HTTPS and
HTTPS-to-whitelisted-sites,HTTPS-with-self-signed,
HTTPS-with-untrusted-CA, HTTPS-with-client-cert, HTTPS-with-CRL-check -
in all these "failure" cases it returns "ERR" - which causes squid to
NOT bump the connection and instead splice it. End result is squid only
bumps sessions it can successfully and safely bump, and applications
like Gtalk, Skype, and regex-whitelisted sites work without human
intervention - leaving only cert pinning as the only manual process
(because these cannot be detected - only the application "knows" if it's
pinned)
Hi Jason,
This sounds like an interesting script. Do you want to make this public?
And what about sites that use HSTS, can you also do a "GET /" and check
the headers for HSTS?
Marcus
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
