Hey, There was something about it but I believe it's only on squid version 4.0.X. The other options for such a thing is to use an external_acl helper that will try to initiate a connection to the destination host (like what is done in the happy eyeballs) to and to inspect the certificate to match a specific criteria. I was working on such a helper a year ago but stopped touch it since there was something I didn't expected. I can try to dig in my repository and see if I find the helper. Let me know if to bother with it. Eliezer ---- http://ngtech.co.il/lmgtfy/ Linux System Administrator Mobile: +972-5-28704261 Email: eliezer@xxxxxxxxxxxx From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Hanoch Hanoch K Sent: Monday, March 6, 2017 3:47 PM To: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Ssl bump tunneling connection by using Common Name Greetings We're using Squid 3.5.19 with ssl bump, and we want to tunnel (not bump) applications such as skype, that use pinned ssl, so we defined an acl for splicing skype's ssl_server_name. However skype's client app uses client certificates that don't have SNI. The only way to identify skype is its Common Name: *.http://dc.trouter.io/ But the Common Name is available only in step3 of ssl bump, where tunneling the connection is no longer possible (as documented in peek and splice step3 docs). What we get is bumping. Is there a way we can tunnel an acl based on Common Name? ty http_port 3127 http_port 3128 intercept https_port 3129 ssl-bump intercept generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myCA.pem always_direct allow all acl DiscoverSNIHost at_step SslBump1 acl NoSSLIntercept ssl::server_name_regex -i (microsoft|msn|windows|update|http://skype.com/|http://go.trouter.io/|http://secure.adnxs.compipe.skype.com/|http://skype-m.hotmail.com/|http://mobile.pipe.aria.microsoft.com/|http://edge.skype.com/|http://api.cc.skype.com/|http://a.config.skype.com/|http://clientlogin.cdn.skype.com/|.http://dc.trouter.io/|http://ui.skype.com/|http://apps.skype.com/|http://registrar-rr.prod.registrar.skype.com/|http://secure.skypeassets.com/|http://c1.skype.com/) ssl_bump splice NoSSLIntercept ssl_bump peek DiscoverSNIHost ssl_bump bump all sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB sslcrtd_children 5 _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
