[squid-users] Deny Access based on SSL-Blacklists (SHA1-Fingerprint) with ssl_bump

Alex Rousskov rousskov at measurement-factory.com
Mon Dec 7 21:30:01 UTC 2015 

On 12/07/2015 02:05 PM, Tom Tom wrote:
> The configuration provided by Alex works for me (squid 3.5.11) 

Thank you for testing and helping expose problems.


> if:
> * the http_port-directive is configured with ssl-bump and a
> certificate (ex. http_port 3128 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/usr/local/certs/myCA.pem)

ssl-bump is required to access SSL/TLS peeking code. Now way around that
today although future Squid versions may provide something like an
ssl-peek port option that tells Squid that no bumping, for any reason
(including error serving) is permitted on that port.

Specifying root CA is required to serve certificate validation (and
other) errors, but we probably should be more flexible and allow no-CA
splice-or-terminate configurations as well.

Related enhancement requests in bugzilla are welcomed, especially if
they are followed by quality patches.


> * the SHA1-fingerprint in the file SSL_BLACKLISTS is delimited after
> two characters with a colon
> (9E:C8:15:3F:27:C9:B5:BA:B9:17:49:C8:0A:D7:DF:21:D3:8C:80:50 for
> ar***krebs.de)

If Squid silently misinterprets colon-less fingerprints, it is a bug
that should be reported and fixed. Squid should either interpret them
correctly or exit with a configuration error.


Thank you,

Alex.



> On Mon, Dec 7, 2015 at 4:02 PM, Alex Rousskov
> <rousskov at measurement-factory.com> wrote:
>> On 12/07/2015 04:37 AM, Ralf Hildebrandt wrote:
>>> * Alex Rousskov <rousskov at measurement-factory.com>:
>>>> Please note that if you do not want to bump anything, then the following
>>>> should also work (bugs notwithstanding):
>>>>
>>>>     ssl_bump splice whitelist
>>>>     ssl_bump peek all
>>>>     ssl_bump terminate blacklist
>>>>     ssl_bump splice all
>>>
>>> That doesn't seem to work for me (squid 3.5.2)
>>
>>> Yet I still can connect. What am I doing wrong?
>>
>> If you are indeed using v3.5.2, then that is a big red flag.
>>
>> If you are using the latest v3.5 release, then you should open a bug
>> report, preferably with an ALL,9 log depicting a single failing
>> transaction. AFAICT, the above is meant to work. If it does not, there
>> is either a Squid bug or misconfiguration [that I cannot detect by
>> reading email].
>>
>>
>> Thank you,
>>
>> Alex.
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>

More information about the squid-users mailing list