[squid-users] Deny Access based on SSL-Blacklists (SHA1-Fingerprint) with ssl_bump
Amos Jeffries
squid3 at treenet.co.nz
Fri Dec 4 14:47:55 UTC 2015
On 5/12/2015 3:32 a.m., Tom Tom wrote:
> Hi Amos
>
> The configuration you provided above works also fine. Thank you. Which
> configuration is generally proposed or "the way to go"?: The one,
> which terminates SSL-Blacklists with "ssl_bump terminate" or the other
> which denies https-Blacklist with "http_access deny"? Are there some
> speed-/security...-considerations?
terminate is the correct way to go if you are rejecting based on just
the TLS details. Squid may decrypt, but will only do the absolute
minimum necessary to get the error back to the client. Not getting
involved with the clients HTTPS data is a good idea.
Amos
More information about the squid-users
mailing list