[squid-users] Deny Access based on SSL-Blacklists (SHA1-Fingerprint) with ssl_bump

Tom Tom tomtux007 at gmail.com
Fri Dec 4 14:32:53 UTC 2015

Hi Amos

The configuration you provided above works also fine. Thank you. Which
configuration is generally proposed or "the way to go"?: The one,
which terminates SSL-Blacklists with "ssl_bump terminate" or the other
which denies https-Blacklist with "http_access deny"? Are there some

Kind regards,

On Fri, Dec 4, 2015 at 1:40 PM, Amos Jeffries <squid3 at treenet.co.nz> wrote:
> On 4/12/2015 9:34 p.m., Tom Tom wrote:
>> Hi list,
>> I'm trying to implement SSL-Blacklists based on SHA1-Fingerprints
>> (squid 3.5.11). As I know, certificate-fingerprints are one of the
>> parts of a certificate, which are visible in a uncrypted traffic.
>> It seems, that blocking https-sites based on fingerprints is only
>> working with a ssl_bump-enabled configuration. The directive, which
>> denies the access based on the fingerprint is "ssl_bump bump all" in
>> my case.
>> The necessary parts of my config:
>> acl DENY_SSL_BUMP ssl::server_name_regex -i "/etc/squid/DENY_SSL_BUMP"
>> acl tls_s1_connect at_step SslBump1
>> acl SSL_BL server_cert_fingerprint "/etc/squid/SSL_BLACKLIST"
>> http_access deny SSL_BL
>> http_port 3128 ssl-bump generate-host-certificates=on
>> dynamic_cert_mem_cache_size=4MB cert=/usr/local/certs/myCA.pem
>> ssl_bump peek tls_s1_connect all
>> ssl_bump splice DENY_SSL_BUMP
>> ssl_bump bump all
>> Question:
>> Why do I need a "full" ssl_bump-configuration to prevent access based
>> on fingerprints?
> Because "deny" in the form you are trying to do it is an HTTP message.
> In order to perform HTTP over a TLS connection you have to decrypt it first.
>> Why is it not enough with just "peeking" the
>> certificate/connection?
> Because peeking is an action done to the TLS layer.
> What you actually want to be doing is:
>   acl step1 at_step SslBump1
>   acl whitelist ssl::server_name_regex -i "/etc/squid/DENY_SSL_BUMP"
>   acl blacklist server_cert_fingerprint "/etc/squid/SSL_BLACKLIST"
>   ssl_bump splice whitelist
>   ssl_bump peek step1
>   ssl_bump stare all
>   ssl_bump terminate blacklist
>   ssl_bump bump all
> Notice how http_access is not part of the TLS ssl_bump processing.
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list