[squid-users] Ssl-Bump and revoked server certificates
Marcus Kool
marcus.kool at urlfilterdb.com
Wed Oct 7 00:56:36 UTC 2015
On 10/06/2015 07:18 PM, Jason Haar wrote:
> On 06/10/15 23:21, Walter H. wrote:
>> Hello,
>>
>> can you please provide an example of how to use this in squid.conf
>
> #create external acl checker that returns "ERR" or "OK" based on cert
> data sent to it
> external_acl_type checkIfHTTPS children-max=20 concurrency=20
> negative_ttl=3600 ttl=3600 grace=90 %SRC %DST %PORT %ssl::>sni
> /usr/local/bin/confirm_https.pl
> acl is_ssl external checkIfHTTPS
>
> #only bump SSL transactions that return "OK"
> ssl_bump bump is_ssl
>
>
> Then the script is passed srcIP, dstHostname|dstIP (depends on whether
> this is a CONNECT or transparent proxy), port (probably 443) and the SNI
> value (if present)
>
> My script does a bunch of checks, and now includes downloading the
> server cert, scraping it for CRL data, downloads the CRL file and
> compares the cert's serial number against that CRL - hence discovering
> if it's revoked or not
>
> The script can differentiate between non-SSL, SSL, HTTPS and
> HTTPS-to-whitelisted-sites,HTTPS-with-self-signed,
> HTTPS-with-untrusted-CA, HTTPS-with-client-cert, HTTPS-with-CRL-check -
> in all these "failure" cases it returns "ERR" - which causes squid to
> NOT bump the connection and instead splice it. End result is squid only
> bumps sessions it can successfully and safely bump, and applications
> like Gtalk, Skype, and regex-whitelisted sites work without human
> intervention - leaving only cert pinning as the only manual process
> (because these cannot be detected - only the application "knows" if it's
> pinned)
Hi Jason,
This sounds like an interesting script. Do you want to make this public?
And what about sites that use HSTS, can you also do a "GET /" and check
the headers for HSTS?
Marcus
More information about the squid-users
mailing list