[squid-users] Deny Access based on SSL-Blacklists (SHA1-Fingerprint) with ssl_bump
Ralf Hildebrandt
Ralf.Hildebrandt at charite.de
Mon Dec 7 11:37:47 UTC 2015
* Alex Rousskov <rousskov at measurement-factory.com>:
> Please consider adding this fine example to the SslPeekAndSplice wiki
> page at http://wiki.squid-cache.org/Features/SslPeekAndSplice
>
>
> Please note that if you do not want to bump anything, then the following
> should also work (bugs notwithstanding):
>
> ssl_bump splice whitelist
> ssl_bump peek all
> ssl_bump terminate blacklist
> ssl_bump splice all
That doesn't seem to work for me (squid 3.5.2) - at the very bottom of
my config I have:
*** snip ***
acl whitelist ssl::server_name_regex -i "/etc/squid3/DENY_SSL_BUMP"
acl blacklist server_cert_fingerprint "/etc/squid3/SSL_BLACKLIST"
ssl_bump splice whitelist
ssl_bump peek all
ssl_bump terminate blacklist
ssl_bump splice all
*** snap ***
I put "9ec8153f27c9b5bab91749c80ad7df21d38c8050" into
/etc/squid3/SSL_BLACKLIST -- which is the SHA-1 Fingerprint of
https://www.arschkrebs.de/
Yet I still can connect. What am I doing wrong?
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebrandt at charite.de Campus Benjamin Franklin
http://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
More information about the squid-users
mailing list