Re: [squid-users] sslBump: only bump requests to sites with invalid certificates

From: Amos Jeffries <>
Date: Mon, 24 Nov 2008 01:00:08 +1300

Philipp wrote:
> Hi
> I would like to bump requests to sites with invalid certificates only.
> Sites that have valid SSL certificates should not be bumped (bump decision
> based on valitidy of the SSL cert).
> First, I tried this ACL:
> acl InvalidCert ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
> acl InvalidCert ssl_error X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT
> acl InvalidCert ssl_error X509_V_ERR_CERT_NOT_YET_VALID
> acl InvalidCert ssl_error X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
> acl InvalidCert ssl_error X509_V_ERR_CERT_HAS_EXPIRED
> acl InvalidCert ssl_error X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
> acl InvalidCert ssl_error X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
> ssl_bump allow InvalidCert
> ssl_bump deny all
> Result: Squid uses CONNECT for https.
> Interpretation: 'ssl_bump deny all' always matches.
> Second, I tried this ACL:
> acl NoSSLError ssl_error SSL_ERROR_NONE
> ssl_bump deny NoSSLError
> ssl_bump allow all
> Result: Squid uses CONNECT for https.
> Interpretation: 'ssl_bump deny NoSSLError' always matches.
> Last, I also tried "normal" ACLs such as:
> ACL whitelisted dstdomain
> ssl_bump deny whitelisted
> ssl_bump allow all
> This works as expected. If is https, Squid uses CONNECT.
> All other https sites are bumped.
> I am aware of that the ssl_error ACL type is not documented (at least I
> could not find any).
> I'm trying this setup with Squid
> Can this sort of ACL (bump decision based on validity of Cert) be done or
> is this a bug?

Looks like its probably a bug.
Please report it so the sslbump guys can check.


Please be using
   Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10
   Current Beta Squid
Received on Sun Nov 23 2008 - 12:00:17 MST

This archive was generated by hypermail 2.2.0 : Sun Nov 23 2008 - 12:00:04 MST