[squid-users] Squid 3 SSL bump: Google drive application could not connect
Chris Bennett
chris at ceegeebee.com
Thu Jan 8 05:41:57 UTC 2015
Interesting thread so far. Has anyone thought of using Bro-IDS as a
feedback loop for some of this advanced logic for bypassing bumping?
Bro performs passive reconnaissance, generates very useful logs for
any payloads it can decode, and is extendable.
e.g. ssl.log may contain something like this for a mail.google connection (it's
usually TSV, I've added headers for readability)
ts 1420695401.142980
uid CPy8RndJtKO7AWuba
id.orig_h 10.0.3.54
id.orig_p 49471
id.resp_h 216.58.220.101
id.resp_p 443
version TLSv10
cipher TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
server_name mail.google.com
session_id b9be0d07db3c10511d673d8537c7809eddbee60a6601a7a23f67d97ab23fc6e8
subject CN=mail.google.com,O=Google Inc,L=Mountain View,ST=California,C=US
issuer_subject CN=Google Internet Authority G2,O=Google Inc,C=US
not_valid_before 1418172300.000000
not_valid_after 1425907800.000000
last_alert -
client_subject -
client_issuer_subject -
cert_hash 7081464425ab98aef8f5818ebd40fec9
validation_status ok
I like the active external acl solution since it meets a need, but
there is overhead. I'm not quite sure what Bro logs for non-HTTPS
443 traffic, but I thought I'd chime in with the above idea if anyone
wants to expand on it further :)
Regards,
Chris
More information about the squid-users
mailing list