[PATCH] SSL server certificate fingerprint ACL type

From: Tsantilas Christos <chtsanti_at_users.sourceforge.net>
Date: Wed, 14 Nov 2012 14:12:56 +0200

SSL server certificate fingerprint ACL type

This patch add the "server_ssl_cert_fingerprint" acl type to match
against server SSL certificate fingerprint.
The new acl type has the form:
  acl aclname server_ssl_cert_fingerprint [-sha1] fingerprint1 ...

The fingerprint must given in the form:
    XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
where X are any valid hexadecimal number

Example usage:
acl BrokeServer dst 192.168.1.23
acl GoodCert server_ssl_cert_fingerprint
AB:2A:82:AF:46:AE:1F:31:21:74:65:BF:56:47:25:D1:87:51:41:AE
sslproxy_cert_error allow BrokeServer GoodCert
sslproxy_cert_error deny all

Someone can retrieve the fingerprint of a certificate using the openssl
command:
  # openssl x509 -fingerprint -in test.pem -noout
  # openssl s_client -host www.paypal.com -port 443 2> /dev/null |
openssl x509 -fingerprint -noout

This is a Measurement Factory project

Received on Wed Nov 14 2012 - 12:13:08 MST

This archive was generated by hypermail 2.2.0 : Fri Nov 23 2012 - 12:00:08 MST