Philipp wrote:
> Hi
>
> I would like to bump requests to sites with invalid certificates only.
> Sites that have valid SSL certificates should not be bumped (bump decision
> based on valitidy of the SSL cert).
>
> First, I tried this ACL:
> acl InvalidCert ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
> acl InvalidCert ssl_error X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT
> acl InvalidCert ssl_error X509_V_ERR_CERT_NOT_YET_VALID
> acl InvalidCert ssl_error X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
> acl InvalidCert ssl_error X509_V_ERR_CERT_HAS_EXPIRED
> acl InvalidCert ssl_error X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
> acl InvalidCert ssl_error X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
> ssl_bump allow InvalidCert
> ssl_bump deny all
>
> Result: Squid uses CONNECT for https.
> Interpretation: 'ssl_bump deny all' always matches.
>
>
> Second, I tried this ACL:
> acl NoSSLError ssl_error SSL_ERROR_NONE
> ssl_bump deny NoSSLError
> ssl_bump allow all
>
> Result: Squid uses CONNECT for https.
> Interpretation: 'ssl_bump deny NoSSLError' always matches.
>
>
> Last, I also tried "normal" ACLs such as:
> ACL whitelisted dstdomain .somedomain.com
> ssl_bump deny whitelisted
> ssl_bump allow all
>
> This works as expected. If .somedomain.com is https, Squid uses CONNECT.
> All other https sites are bumped.
>
>
> I am aware of that the ssl_error ACL type is not documented (at least I
> could not find any).
> I'm trying this setup with Squid 3.1.0.2.
> Can this sort of ACL (bump decision based on validity of Cert) be done or
> is this a bug?
>
Looks like its probably a bug.
Please report it so the sslbump guys can check.
Amos
-- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 Current Beta Squid 3.1.0.2Received on Sun Nov 23 2008 - 18:31:23 MST
This archive was generated by hypermail 2.2.0 : Wed Nov 26 2008 - 12:00:04 MST