[squid-users] Deny Access based on SSL-Blacklists (SHA1-Fingerprint) with ssl_bump

Amos Jeffries squid3 at treenet.co.nz
Fri Dec 4 12:40:28 UTC 2015


On 4/12/2015 9:34 p.m., Tom Tom wrote:
> Hi list,
> 
> I'm trying to implement SSL-Blacklists based on SHA1-Fingerprints
> (squid 3.5.11). As I know, certificate-fingerprints are one of the
> parts of a certificate, which are visible in a uncrypted traffic.
> 
> It seems, that blocking https-sites based on fingerprints is only
> working with a ssl_bump-enabled configuration. The directive, which
> denies the access based on the fingerprint is "ssl_bump bump all" in
> my case.
> 
> The necessary parts of my config:
> acl DENY_SSL_BUMP ssl::server_name_regex -i "/etc/squid/DENY_SSL_BUMP"
> acl tls_s1_connect at_step SslBump1
> acl SSL_BL server_cert_fingerprint "/etc/squid/SSL_BLACKLIST"
> http_access deny SSL_BL
> 
> http_port 3128 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/usr/local/certs/myCA.pem
> ssl_bump peek tls_s1_connect all
> ssl_bump splice DENY_SSL_BUMP
> ssl_bump bump all
> 
> 
> 
> Question:
> Why do I need a "full" ssl_bump-configuration to prevent access based
> on fingerprints?

Because "deny" in the form you are trying to do it is an HTTP message.
In order to perform HTTP over a TLS connection you have to decrypt it first.


> Why is it not enough with just "peeking" the
> certificate/connection?

Because peeking is an action done to the TLS layer.


What you actually want to be doing is:

  acl step1 at_step SslBump1
  acl whitelist ssl::server_name_regex -i "/etc/squid/DENY_SSL_BUMP"
  acl blacklist server_cert_fingerprint "/etc/squid/SSL_BLACKLIST"

  ssl_bump splice whitelist
  ssl_bump peek step1
  ssl_bump stare all
  ssl_bump terminate blacklist
  ssl_bump bump all


Notice how http_access is not part of the TLS ssl_bump processing.

Amos


More information about the squid-users mailing list