Hi Alex,
> If bumping SSL traffic without client consent or knowledge was possible,
> SSL would be useless.
that's why I dropped the ssl_bump server-first approach for now. But what about
the
SSL Peek and Splice feature? Don't get me wrong I'm not interested in decrypting
all user traffic
but to find a better solution than using the dst ipaddress to decide if the user
is allowed to access a site or not.
I already managed to see Hellos in the logs when switching on ssl_bump
peek-and-splice, but I fail to write an ACL filtering for the ServerName in the
hello to decide if the traffic should be bumped or not. Allowed sites should
simply go to the ssl_bump none option then. AND by using ssl_dump none, no
config change is required on the client.
Currently I'm doing this with a script updated ip list, but with the common
limitations of IP (no wildcard domains, no regex, cdn ips may not be actual, not
even considering ipv6 and so on)
However I don't know how far the peek and splice feature is, is it currently
possible to filter for the hello messages?
greetings and have all a nice weekend,
Alex
Received on Fri Apr 26 2013 - 17:08:58 MDT
This archive was generated by hypermail 2.2.0 : Sat Apr 27 2013 - 12:00:04 MDT