[squid-users] Deny Access based on SSL-Blacklists (SHA1-Fingerprint) with ssl_bump

Tom Tom tomtux007 at gmail.com
Mon Dec 7 21:05:05 UTC 2015


The configuration provided by Alex works for me (squid 3.5.11) if:
* the http_port-directive is configured with ssl-bump and a
certificate (ex. http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/usr/local/certs/myCA.pem)
* the SHA1-fingerprint in the file SSL_BLACKLISTS is delimited after
two characters with a colon
(9E:C8:15:3F:27:C9:B5:BA:B9:17:49:C8:0A:D7:DF:21:D3:8C:80:50 for
ar***krebs.de)

Kind regards,
Tom

On Mon, Dec 7, 2015 at 4:02 PM, Alex Rousskov
<rousskov at measurement-factory.com> wrote:
> On 12/07/2015 04:37 AM, Ralf Hildebrandt wrote:
>> * Alex Rousskov <rousskov at measurement-factory.com>:
>>> Please note that if you do not want to bump anything, then the following
>>> should also work (bugs notwithstanding):
>>>
>>>     ssl_bump splice whitelist
>>>     ssl_bump peek all
>>>     ssl_bump terminate blacklist
>>>     ssl_bump splice all
>>
>> That doesn't seem to work for me (squid 3.5.2)
>
>> Yet I still can connect. What am I doing wrong?
>
> If you are indeed using v3.5.2, then that is a big red flag.
>
> If you are using the latest v3.5 release, then you should open a bug
> report, preferably with an ALL,9 log depicting a single failing
> transaction. AFAICT, the above is meant to work. If it does not, there
> is either a Squid bug or misconfiguration [that I cannot detect by
> reading email].
>
>
> Thank you,
>
> Alex.
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users


More information about the squid-users mailing list