[squid-users] HTTPS intercept, simple configuration to avoid bank bumping

Jason Haar Jason_Haar at trimble.com
Tue Jan 27 20:09:10 UTC 2015


On 27/01/15 11:13, Dan Charlesworth wrote:
> Wasn't somebody saying that you'd need write an External ACL to
> evaluate the SNI host because dstdomain isn't hooked into that code
> (yet? ever?)?

That can't be the case. If the external ACL is called without the SNI,
then at best all it can do is connect to an IP address and scrape the
server response. But some SSL servers (especially WAFs) are configured
to DROP connections if they don't see a client SNI (I've seen this with
CDN networks with my own experience with external ACLs). Only squid has
access to the SNI - it has to be done in squid code.

Jason


-- 
Cheers

Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150128/3172d04d/attachment.html>


More information about the squid-users mailing list