[squid-users] ssl callout helper
James Harper
james at ejbdigital.com.au
Sun Nov 16 01:12:02 UTC 2014
I've written a little helper to do ssl callouts to determine if the server is running ssl at all (eg not tunnelling over ssl), and also to be able to do limited ACL on CN/SAN. The main limitation is the way larger organisations will often have one SSL cert that covers many URLS (eg google cert also covers google.com, youtube.com etc).
Currently I need to do it like:
external_acl_type cert_callout %DST %PORT /usr/local/squid/libexec/ext_cert_callout_acl
acl banks dstdomain .bigbank.com
acl banks dstdomain .otherbank.com
acl is_ssl external cert_callout IS_SSL
acl banks_callout external cert_callout SAN .bigbank.com
acl banks_callout external cert_callout SAN .otherbank.com
ssl_bump splice !is_ssl
ssl_bump splice banks
ssl_bump splice banks_callout
ssl_bump bump all
But I'd rather not have to maintain the banks and the banks_callout lists separately when they are identical. Apart from sticking them in a separate file, are there any shortcuts I can take?
Also, it would be good if squid could make use of the CN from the certificate for logging, so instead of "CONNECT <IP>:<PORT>", I could log "CONNECT <CN>:<PORT>", which would really clean up the logs (apart from the cases mentioned above). I think I can use tag= or log=, but that would preclude me from using them for anything else (I'm not using them for anything else at the moment but still...)
Thanks
James
More information about the squid-users
mailing list