[squid-users] Ssl-Bump and revoked server certificates

Jason Haar Jason_Haar at trimble.com
Tue Oct 6 22:18:08 UTC 2015

On 06/10/15 23:21, Walter H. wrote:
> Hello,
> can you please provide an example of how to use this in squid.conf

#create external acl checker that returns "ERR" or "OK" based on cert
data sent to it
external_acl_type checkIfHTTPS children-max=20 concurrency=20
negative_ttl=3600 ttl=3600 grace=90  %SRC %DST %PORT %ssl::>sni
acl is_ssl external checkIfHTTPS

#only bump SSL transactions that return "OK"
ssl_bump bump is_ssl

Then the script is passed srcIP, dstHostname|dstIP (depends on whether
this is a CONNECT or transparent proxy), port (probably 443) and the SNI
value (if present)

My script does a bunch of checks, and now includes downloading the
server cert, scraping it for CRL data, downloads the CRL file and
compares the cert's serial number against that CRL - hence discovering
if it's revoked or not

The script can differentiate between non-SSL, SSL, HTTPS and
HTTPS-with-untrusted-CA, HTTPS-with-client-cert, HTTPS-with-CRL-check -
in all these "failure" cases it returns "ERR" - which causes squid to
NOT bump the connection and instead splice it. End result is squid only
bumps sessions it can successfully and safely bump, and applications
like Gtalk, Skype, and regex-whitelisted sites work  without human
intervention - leaving only cert pinning as the only manual process
(because these cannot be detected - only the application "knows" if it's


Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the squid-users mailing list