Hi list, I'm trying to implement SSL-Blacklists based on SHA1-Fingerprints (squid 3.5.11). As I know, certificate-fingerprints are one of the parts of a certificate, which are visible in a uncrypted traffic. It seems, that blocking https-sites based on fingerprints is only working with a ssl_bump-enabled configuration. The directive, which denies the access based on the fingerprint is "ssl_bump bump all" in my case. The necessary parts of my config: acl DENY_SSL_BUMP ssl::server_name_regex -i "/etc/squid/DENY_SSL_BUMP" acl tls_s1_connect at_step SslBump1 acl SSL_BL server_cert_fingerprint "/etc/squid/SSL_BLACKLIST" http_access deny SSL_BL http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/certs/myCA.pem ssl_bump peek tls_s1_connect all ssl_bump splice DENY_SSL_BUMP ssl_bump bump all Question: Why do I need a "full" ssl_bump-configuration to prevent access based on fingerprints? Why is it not enough with just "peeking" the certificate/connection? Thanks a lot. Kind regards, Tom _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
