On 2014-07-11 10:14, Alex Rousskov wrote:
> On 07/11/2014 05:43 AM, James Harper wrote:
>
>> Is it possible for squid to intercept and apply acl's to https
>> without actually decrypting and generating certificates etc? The
>> conversation would go something like:
>
>> . Client makes connection to IP 1.2.3.4
>> . Squid intercepts the connection (but doesn't respond yet)
>> . Squid connects to 1.2.3.4 to obtain the hostname (CN or other
>> identifier) of the certificate [1]
>> . Squid applies ACL rules to the hostname [2]
>> . If the ACL results in a deny then the client connection is dropped
>> [3]
>> . If the ACL results in an allow then a new connection is made to
>> the 1.2.3.4 and squid just blindly proxies the TCP connection
>>
>> [1] I believe certificates can be valid for multiple hostnames, and
>> wildcards, so this would have to be taken into account
>> [2] stream is encrypted, so obviously no access to URL etc
>> [3] dropped, because there isn't much else you can do with it,
>> although maybe at this point a fake cert could be used to supply an
>> "access denied" page?
>
>
> I believe the above is one of the use cases that SSL Peek and Splice
> project aims to address. Look for step2 "peek" and "terminate"
> actions
> specifically:
>
> http://wiki.squid-cache.org/Features/SslPeekAndSplice
>
> IIRC, both of those actions are supported in the experimental project
> branch, but we have not polished the changes for the official
> submission
> yet.
>
>
> https://code.launchpad.net/~measurement-factory/squid/peek-and-splice
>
>
> HTH,
>
> Alex.
I'd like this as well...how do we get the branch? Thanks.
James
Received on Fri Jul 11 2014 - 16:18:28 MDT
This archive was generated by hypermail 2.2.0 : Sat Jul 12 2014 - 12:00:05 MDT