On 4/12/2015 9:34 p.m., Tom Tom wrote: > Hi list, > > I'm trying to implement SSL-Blacklists based on SHA1-Fingerprints > (squid 3.5.11). As I know, certificate-fingerprints are one of the > parts of a certificate, which are visible in a uncrypted traffic. > > It seems, that blocking https-sites based on fingerprints is only > working with a ssl_bump-enabled configuration. The directive, which > denies the access based on the fingerprint is "ssl_bump bump all" in > my case. > > The necessary parts of my config: > acl DENY_SSL_BUMP ssl::server_name_regex -i "/etc/squid/DENY_SSL_BUMP" > acl tls_s1_connect at_step SslBump1 > acl SSL_BL server_cert_fingerprint "/etc/squid/SSL_BLACKLIST" > http_access deny SSL_BL > > http_port 3128 ssl-bump generate-host-certificates=on > dynamic_cert_mem_cache_size=4MB cert=/usr/local/certs/myCA.pem > ssl_bump peek tls_s1_connect all > ssl_bump splice DENY_SSL_BUMP > ssl_bump bump all > > > > Question: > Why do I need a "full" ssl_bump-configuration to prevent access based > on fingerprints? Because "deny" in the form you are trying to do it is an HTTP message. In order to perform HTTP over a TLS connection you have to decrypt it first. > Why is it not enough with just "peeking" the > certificate/connection? Because peeking is an action done to the TLS layer. What you actually want to be doing is: acl step1 at_step SslBump1 acl whitelist ssl::server_name_regex -i "/etc/squid/DENY_SSL_BUMP" acl blacklist server_cert_fingerprint "/etc/squid/SSL_BLACKLIST" ssl_bump splice whitelist ssl_bump peek step1 ssl_bump stare all ssl_bump terminate blacklist ssl_bump bump all Notice how http_access is not part of the TLS ssl_bump processing. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
