[squid-users] Deny Access based on SSL-Blacklists (SHA1-Fingerprint) with ssl_bump

Tom Tom tomtux007 at gmail.com
Fri Dec 4 08:34:10 UTC 2015


Hi list,

I'm trying to implement SSL-Blacklists based on SHA1-Fingerprints
(squid 3.5.11). As I know, certificate-fingerprints are one of the
parts of a certificate, which are visible in a uncrypted traffic.

It seems, that blocking https-sites based on fingerprints is only
working with a ssl_bump-enabled configuration. The directive, which
denies the access based on the fingerprint is "ssl_bump bump all" in
my case.

The necessary parts of my config:
acl DENY_SSL_BUMP ssl::server_name_regex -i "/etc/squid/DENY_SSL_BUMP"
acl tls_s1_connect at_step SslBump1
acl SSL_BL server_cert_fingerprint "/etc/squid/SSL_BLACKLIST"
http_access deny SSL_BL

http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/usr/local/certs/myCA.pem
ssl_bump peek tls_s1_connect all
ssl_bump splice DENY_SSL_BUMP
ssl_bump bump all



Question:
Why do I need a "full" ssl_bump-configuration to prevent access based
on fingerprints? Why is it not enough with just "peeking" the
certificate/connection?

Thanks a lot.
Kind regards,
Tom


More information about the squid-users mailing list