[squid-users] ssl callout helper

Amos Jeffries squid3 at treenet.co.nz
Sun Nov 16 20:40:11 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 16/11/2014 2:12 p.m., James Harper wrote:
> I've written a little helper to do ssl callouts to determine if
> the server is running ssl at all (eg not tunnelling over ssl), and
> also to be able to do limited ACL on CN/SAN. The main limitation is
> the way larger organisations will often have one SSL cert that
> covers many URLS (eg google cert also covers google.com,
> youtube.com etc).
> 
> Currently I need to do it like:
> 
> external_acl_type cert_callout %DST %PORT
> /usr/local/squid/libexec/ext_cert_callout_acl
> 
> acl banks dstdomain .bigbank.com acl banks dstdomain
> .otherbank.com
> 
> acl is_ssl external cert_callout IS_SSL acl banks_callout external
> cert_callout SAN .bigbank.com acl banks_callout external
> cert_callout SAN .otherbank.com
> 
> ssl_bump splice !is_ssl ssl_bump splice banks ssl_bump splice
> banks_callout ssl_bump bump all
> 
> But I'd rather not have to maintain the banks and the
> banks_callout lists separately when they are identical. Apart from
> sticking them in a separate file, are there any shortcuts I can
> take?

Return a tag=X parameter from your helper and use the note ACL type in
ssl_bump.

However, ssl_bump is a "fast" type ACL and as such is not really
capable of running external ACL tests.

> 
> Also, it would be good if squid could make use of the CN from the 
> certificate for logging, so instead of "CONNECT <IP>:<PORT>", I
> could log "CONNECT <CN>:<PORT>", which would really clean up the
> logs (apart from the cases mentioned above). I think I can use tag=
> or log=, but that would preclude me from using them for anything
> else (I'm not using them for anything else at the moment but
> still...)

<http://wiki.squid-cache.org/SquidFaq/AboutSquid#How_to_add_a_new_Squid_feature.2C_enhance.2C_of_fix_something.3F>

Also note that for splice the server cert details are probably not
available. If the IP address reverse-DNS points at any of your "banks"
ACL entries the connection will be spliced without even seeing the
ClientHello details.

Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUaQurAAoJELJo5wb/XPRjHncH/3c15UBEzppVaR3l9+HuBADp
WEQMPntl+wi8Mmekzo5zZPxbvvPEORHENpXuZQvZNT0iXfZwYmaJnAdgOp+LlMgh
6iA4F3HFOkg7geXvcgef8e7HVJ8XaszsMMycoppg1NMhm6FlxnQIkLbGBjvWC2i0
2GDD7kV7uR44IHwoAjhnhE4JiHUgbrfSA8Cy1NynZ73X3bY//kcY5iKx9LN7IhIc
ks7hw69KODPbqPyFZ+H9axbGlDNIz3O9Q/1I1OzgW23V/7m3UPk1zXapsfmCK17u
8GRJRv9nDOZmOe8KAC7FsRN47I7e9tAmvikJrjDd9vm5G4zIdUM+ycgPpKKoY1Q=
=70hO
-----END PGP SIGNATURE-----


More information about the squid-users mailing list