On 06/18/2018 09:36 PM, Ahmad, Sarfaraz wrote: > Can I leverage other information available in a server certificates’s > SAN field to build my ACLs ? Unfortunately, Squid does not have ACLs that can match non-dNSName[1] parts of the Subject Alternative Name extension. [1] https://tools.ietf.org/html/rfc5280#section-4.2.1.6 > I haven’t tried it but would using ssl::server_name_regex work to match > IP=10.0.97.* work? No, it should not work. When looking at SAN, Squid only looks at dNSName. > Also I couldn’t find a way to capture ssl::server_name (that Squid > builds as described in the “acl” directive doc) in the logs. Logformat > directive has only some bits of ssl information. Squid does not have a logformat %code that would always contain the same name as the one examined by the ssl::server_name ACL. Moreover, since ssl::server_name ACL examines different names (depending on the evaluation timing/context), logging a single value at the end of the transaction would not tell you what ssl::server_name ACL was dealing with. Needless to say, it is possible to modify Squid to add ACL(s) that would interrogate other SAN names and logformat %codes that would log SAN dNSName and other server certificate details. Same for logging the equivalent of the final ssl::server_name is also possible. https://wiki.squid-cache.org/SquidFaq/AboutSquid#How_to_add_a_new_Squid_feature.2C_enhance.2C_of_fix_something.3F Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
