Hi Amos The configuration you provided above works also fine. Thank you. Which configuration is generally proposed or "the way to go"?: The one, which terminates SSL-Blacklists with "ssl_bump terminate" or the other which denies https-Blacklist with "http_access deny"? Are there some speed-/security...-considerations? Kind regards, Tom On Fri, Dec 4, 2015 at 1:40 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > On 4/12/2015 9:34 p.m., Tom Tom wrote: >> Hi list, >> >> I'm trying to implement SSL-Blacklists based on SHA1-Fingerprints >> (squid 3.5.11). As I know, certificate-fingerprints are one of the >> parts of a certificate, which are visible in a uncrypted traffic. >> >> It seems, that blocking https-sites based on fingerprints is only >> working with a ssl_bump-enabled configuration. The directive, which >> denies the access based on the fingerprint is "ssl_bump bump all" in >> my case. >> >> The necessary parts of my config: >> acl DENY_SSL_BUMP ssl::server_name_regex -i "/etc/squid/DENY_SSL_BUMP" >> acl tls_s1_connect at_step SslBump1 >> acl SSL_BL server_cert_fingerprint "/etc/squid/SSL_BLACKLIST" >> http_access deny SSL_BL >> >> http_port 3128 ssl-bump generate-host-certificates=on >> dynamic_cert_mem_cache_size=4MB cert=/usr/local/certs/myCA.pem >> ssl_bump peek tls_s1_connect all >> ssl_bump splice DENY_SSL_BUMP >> ssl_bump bump all >> >> >> >> Question: >> Why do I need a "full" ssl_bump-configuration to prevent access based >> on fingerprints? > > Because "deny" in the form you are trying to do it is an HTTP message. > In order to perform HTTP over a TLS connection you have to decrypt it first. > > >> Why is it not enough with just "peeking" the >> certificate/connection? > > Because peeking is an action done to the TLS layer. > > > What you actually want to be doing is: > > acl step1 at_step SslBump1 > acl whitelist ssl::server_name_regex -i "/etc/squid/DENY_SSL_BUMP" > acl blacklist server_cert_fingerprint "/etc/squid/SSL_BLACKLIST" > > ssl_bump splice whitelist > ssl_bump peek step1 > ssl_bump stare all > ssl_bump terminate blacklist > ssl_bump bump all > > > Notice how http_access is not part of the TLS ssl_bump processing. > > Amos > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
