On 12/04/2015 05:40 AM, Amos Jeffries wrote: > On 4/12/2015 9:34 p.m., Tom Tom wrote: >> Why do I need a "full" ssl_bump-configuration to prevent access based >> on fingerprints? > Because "deny" in the form you are trying to do it is an HTTP message. > In order to perform HTTP over a TLS connection you have to decrypt it first. > What you actually want to be doing is: > > acl step1 at_step SslBump1 > acl whitelist ssl::server_name_regex -i "/etc/squid/DENY_SSL_BUMP" > acl blacklist server_cert_fingerprint "/etc/squid/SSL_BLACKLIST" > > ssl_bump splice whitelist > ssl_bump peek step1 > ssl_bump stare all > ssl_bump terminate blacklist > ssl_bump bump all Please consider adding this fine example to the SslPeekAndSplice wiki page at http://wiki.squid-cache.org/Features/SslPeekAndSplice Please note that if you do not want to bump anything, then the following should also work (bugs notwithstanding): ssl_bump splice whitelist ssl_bump peek all ssl_bump terminate blacklist ssl_bump splice all Thank you, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
