[squid-users] Deny Access based on SSL-Blacklists (SHA1-Fingerprint) with ssl_bump

Amos Jeffries squid3 at treenet.co.nz
Fri Dec 4 14:47:55 UTC 2015

On 5/12/2015 3:32 a.m., Tom Tom wrote:
> Hi Amos
> The configuration you provided above works also fine. Thank you. Which
> configuration is generally proposed or "the way to go"?: The one,
> which terminates SSL-Blacklists with "ssl_bump terminate" or the other
> which denies https-Blacklist with "http_access deny"? Are there some
> speed-/security...-considerations?

terminate is the correct way to go if you are rejecting based on just
the TLS details. Squid may decrypt, but will only do the absolute
minimum necessary to get the error back to the client. Not getting
involved with the clients HTTPS data is a good idea.


More information about the squid-users mailing list