[squid-users] Ssl-Bump and revoked server certificates
Jason Haar
Jason_Haar at trimble.com
Tue Oct 6 22:18:08 UTC 2015
On 06/10/15 23:21, Walter H. wrote:
> Hello,
>
> can you please provide an example of how to use this in squid.conf
#create external acl checker that returns "ERR" or "OK" based on cert
data sent to it
external_acl_type checkIfHTTPS children-max=20 concurrency=20
negative_ttl=3600 ttl=3600 grace=90 %SRC %DST %PORT %ssl::>sni
/usr/local/bin/confirm_https.pl
acl is_ssl external checkIfHTTPS
#only bump SSL transactions that return "OK"
ssl_bump bump is_ssl
Then the script is passed srcIP, dstHostname|dstIP (depends on whether
this is a CONNECT or transparent proxy), port (probably 443) and the SNI
value (if present)
My script does a bunch of checks, and now includes downloading the
server cert, scraping it for CRL data, downloads the CRL file and
compares the cert's serial number against that CRL - hence discovering
if it's revoked or not
The script can differentiate between non-SSL, SSL, HTTPS and
HTTPS-to-whitelisted-sites,HTTPS-with-self-signed,
HTTPS-with-untrusted-CA, HTTPS-with-client-cert, HTTPS-with-CRL-check -
in all these "failure" cases it returns "ERR" - which causes squid to
NOT bump the connection and instead splice it. End result is squid only
bumps sessions it can successfully and safely bump, and applications
like Gtalk, Skype, and regex-whitelisted sites work without human
intervention - leaving only cert pinning as the only manual process
(because these cannot be detected - only the application "knows" if it's
pinned)
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the squid-users
mailing list