On 01/03/2018 10:38 AM, Matus UHLAR - fantomas wrote: >> In a general case, the admin has to pick between two evils: >> >> * Allow TLS handshakes with arbitrary servers on TLS ports (my sketch) >> >> * or tell Squid to respond with error pages that the user cannot see >> (without bypassing browser security warnings). >> >> Which evil is lesser is up to the admin to decide. >> (*) We should allow CONNECTs to SSL_ports, not Safe_ports. I hope my >> sketch did not use those ACLs. > I'm afraid you did. I did not: http://lists.squid-cache.org/pipermail/squid-users/2017-December/017268.html I used toSafePorts which is not one of the default ACLs (but may contain them). The admin should define the ACLs left out of the sketch correctly, of course. Moreover, I would rename toSafePorts to toConnectableDestinations or similar to emphasize that this is the right place to ban CONNECTs to wrong/dangerous/etc. addresses. > I'm also afraid that your proposal also prevents us from disabling > CONNECTs later If you are saying that my simple sketch does not address all possible use cases, then I certainly agree! I believe it addressed what OP requested, but if I misinterpreted his or her desires, I apologize. I hope the general description quoted at the start of this email combined with Amos and yours warnings about undesirable CONNECT destinations will allow them to fix their configuration as needed. Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
