On 12/07/2014 12:24 a.m., James Harper wrote:
>>
>> Is it possible for squid to intercept and apply acl's to https
>> without actually decrypting and generating certificates etc? The
>> conversation would go something like:
>>
>
> It actually almost works if I put a dummy cert on the https_port
> config line with ssl-bump, but then use none for ssl_bump. In order
> to parse the dstdomain, I assume squid must be getting the cert cn
> first, right? Unfortunately it seems to throw the details it gathered
> away after checking what bump to use as all I get in there is the
> destination IP. Logging %ssl::>cert_subject just shows "-".
http:/www.squid-cache.org/Doc/config/logformat/:
%ssl::>cert_subject log the Subject field of a SSL certificate ...
... *received from the client.*
PS. MITM starts when your description needs to use the word "intercept"
or one of its variations.
Amos
Received on Fri Jul 11 2014 - 12:41:40 MDT
This archive was generated by hypermail 2.2.0 : Fri Jul 11 2014 - 12:00:04 MDT