[squid-users] Deny Access based on SSL-Blacklists (SHA1-Fingerprint) with ssl_bump
Alex Rousskov
rousskov at measurement-factory.com
Fri Dec 4 16:15:31 UTC 2015
On 12/04/2015 05:40 AM, Amos Jeffries wrote:
> On 4/12/2015 9:34 p.m., Tom Tom wrote:
>> Why do I need a "full" ssl_bump-configuration to prevent access based
>> on fingerprints?
> Because "deny" in the form you are trying to do it is an HTTP message.
> In order to perform HTTP over a TLS connection you have to decrypt it first.
> What you actually want to be doing is:
>
> acl step1 at_step SslBump1
> acl whitelist ssl::server_name_regex -i "/etc/squid/DENY_SSL_BUMP"
> acl blacklist server_cert_fingerprint "/etc/squid/SSL_BLACKLIST"
>
> ssl_bump splice whitelist
> ssl_bump peek step1
> ssl_bump stare all
> ssl_bump terminate blacklist
> ssl_bump bump all
Please consider adding this fine example to the SslPeekAndSplice wiki
page at http://wiki.squid-cache.org/Features/SslPeekAndSplice
Please note that if you do not want to bump anything, then the following
should also work (bugs notwithstanding):
ssl_bump splice whitelist
ssl_bump peek all
ssl_bump terminate blacklist
ssl_bump splice all
Thank you,
Alex.
More information about the squid-users
mailing list