[squid-users] Squid 3 SSL bump: Google drive application could not connect
Douglas Davenport
doug1234 at digcorp.net
Mon Jan 5 01:07:12 UTC 2015
Seems to me it would be more useful as an external ACL so that a decision
could be made based on other factors eg src or dstdomain whether to deny or
allow the un-bumpable connection.
On Sun, Jan 4, 2015 at 4:29 PM, Yuri Voinov <yvoinov at gmail.com> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> As I can see, we have two major problems with SSL Bump now.
>
> 1. Stupid apps and it's stupid developers - like ICQ and other stupid IM -
> which is hope 443 port is never be blocked due to using for logons/internet
> banking etc.
> This stupid way broke standards (?) and make us crazy. Now single solution
> is catch them manually and pass it without bumping. This is the simplest
> problem. And I hope it will be solved in core - i.e. in Squid directly.
>
> 2. SSL Pinned sites. We cannot do with them anything excluding sniff it
> and pass by IP without bump.
>
> First problems seems to solve easy. Either by helper, or by squid - no
> matter. It's really simple. Just check SSL cert on server side - and make
> decision - to bump, or not to bump.
>
> The second problem seems difficult and now I can't see any reasonable
> solution, excluding sniffer/manual add to acl.
>
> Any ideas? Will be write helper?
>
> WBR, Yuri
>
> 05.01.2015 2:17, Douglas Davenport пишет:
> > I saw a very similar feature in ufdbGuard which is a URL filter
> implemented as a Squid Redirector. They have a feature which probes the
> destination server for a valid HTTPS cert in parallel to the user's
> connection and terminates it if it turns out not to be a valid HTTPS cert.
> Their code is open source, maybe this could be helpful in creating such a
> helper?
> >
> > http://www.urlfilterdb.com/home.html
> >
> > On Sat, Jan 3, 2015 at 3:45 AM, Yuri Voinov <yvoinov at gmail.com
> <mailto:yvoinov at gmail.com> <yvoinov at gmail.com>> wrote:
> >
> >
> > Term "HTTPS" often uses as "Any connect over 443 port"....
> >
> > 03.01.2015 13:59, Jason Haar пишет:
> > > On 01/01/15 00:11, James Harper wrote:
> > >> The helper connects to the IP:port and tries to obtain the
> > certificate, and then caches the result (in an sqlite database). If it
> > can't do so within a fairly short time it returns failure (but keeps
> > trying a bit longer and caches it for next time). Alternatively if the
> > IP used to be SSL but is now timing out it returns the previously cached
> > value. Negative results are cached for an increasing amount of time each
> > time it fails, on the basis that it probably isn't SSL.
> > > That sounds great James! I'd certainly like to take a look at it too
> >
> > > However, you say "SSL" - did you mean "HTTPS"? ie discovering a
> ip:port
> > > is a IMAPS server doesn't really help squid talk to it - surely you
> want
> > > to discover HTTPS servers - and everything else should be
> > > pass-through/splice?
> >
> >
> >
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> <mailto:squid-users at lists.squid-cache.org>
> <squid-users at lists.squid-cache.org>
> > http://lists.squid-cache.org/listinfo/squid-users
> >
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQEcBAEBAgAGBQJUqbC7AAoJENNXIZxhPexGwwkH/j8XR2fQ4v/r3M2zFuDuhVsP
> JZMM93IvZrGYRzJjAmmwg7ZUoYdwWWEaXoY6GygO+RdZESWfPvh00cSsxwRKfmvm
> 2s7sLDKlPnfUsf9fyWnihCtJg9hETZTsvUqK9I+iopiM1DHq/qwX3Pjkb2e2T45u
> JuqU5ySBZPEt6G1gRn/+F2EyHdhWpa9OOtfeTAt4/oaJIuLoHP7855fif/1eg59U
> QlISZkLjDcL4DqEVM+9UJh9TSN+dawj/Ks+3b+MT8sA/xvVdOyqhLMqnm4MPadSv
> yvK5nQWW4rkfHOJ1zwWq3hAMLjCIXjY4q1NxNQAxdK5ESZvszecvXg3JMKo/THw=
> =Ygen
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150104/02a4e313/attachment.html>
More information about the squid-users
mailing list