Re: [squid-users] Ne​ed help on SSL bump ​and certificate chai​n​

From: <>
Date: Fri, 26 Apr 2013 19:08:49 +0200 (CEST)

Hi Alex,

> If bumping SSL traffic without client consent or knowledge was possible,
> SSL would be useless.

that's why I dropped the ssl_bump server-first approach for now. But what about
SSL Peek and Splice feature? Don't get me wrong I'm not interested in decrypting
all user traffic
but to find a better solution than using the dst ipaddress to decide if the user
is allowed to access a site or not.

I already managed to see Hellos in the logs when switching on ssl_bump
peek-and-splice, but I fail to write an ACL filtering for the ServerName in the
hello to decide if the traffic should be bumped or not. Allowed sites should
simply go to the ssl_bump none option then. AND by using ssl_dump none, no
config change is required on the client.

Currently I'm doing this with a script updated ip list, but with the common
limitations of IP (no wildcard domains, no regex, cdn ips may not be actual, not
even considering ipv6 and so on)

However I don't know how far the peek and splice feature is, is it currently
possible to filter for the hello messages?

greetings and have all a nice weekend,
Received on Fri Apr 26 2013 - 17:08:58 MDT

This archive was generated by hypermail 2.2.0 : Sat Apr 27 2013 - 12:00:04 MDT