[squid-users] HTTPS Filtering by Certificate Subject Name

Eric Lackey eric.lackey at gmail.com
Sat Oct 18 05:10:02 UTC 2014


It looks like this question has come up before, but I'm hoping to get some
further details on it.

I've used a couple of firewalls (Watchguard & Fortigate) that allow me to
do a level of HTTPS site filtering without decryption. I believe that it
works by requesting and examining the certificate sent from the remote
server. If the subject name or subject alternate names on the certificate
match a whitelist of domains that we have specified then access to the site
is allowed. As far as I know, it does not require decrypting the SSL
connection and I'm positive that it doesn't return self generated
certificates.

It would not be very effective for someone trying to use Squid for blocking
end users access to every site on the Internet. But, it works great for our
use case where we want to allow our servers to only access a handful of
sites.

>From everything I've read, it looks like the only option is for Squid to
decrypt the connection. Is there a particular reason why this feature could
not be implemented in Squid if it's available in these other devices? Or if
it is available, could I get some direction.

Thank you in advance for any help.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20141018/b16b2947/attachment.html>


More information about the squid-users mailing list