[squid-users] Deny Access based on SSL-Blacklists (SHA1-Fingerprint) with ssl_bump
tomtux007 at gmail.com
Fri Dec 4 08:34:10 UTC 2015
I'm trying to implement SSL-Blacklists based on SHA1-Fingerprints
(squid 3.5.11). As I know, certificate-fingerprints are one of the
parts of a certificate, which are visible in a uncrypted traffic.
It seems, that blocking https-sites based on fingerprints is only
working with a ssl_bump-enabled configuration. The directive, which
denies the access based on the fingerprint is "ssl_bump bump all" in
The necessary parts of my config:
acl DENY_SSL_BUMP ssl::server_name_regex -i "/etc/squid/DENY_SSL_BUMP"
acl tls_s1_connect at_step SslBump1
acl SSL_BL server_cert_fingerprint "/etc/squid/SSL_BLACKLIST"
http_access deny SSL_BL
http_port 3128 ssl-bump generate-host-certificates=on
ssl_bump peek tls_s1_connect all
ssl_bump splice DENY_SSL_BUMP
ssl_bump bump all
Why do I need a "full" ssl_bump-configuration to prevent access based
on fingerprints? Why is it not enough with just "peeking" the
Thanks a lot.
More information about the squid-users