Re: [squid-users] Ne​ed help on SSL bump ​and certificate chai​n​

From: <alex_at_imaginers.org>
Date: Mon, 29 Apr 2013 01:24:34 +0200 (CEST)

> > I already managed to see Hellos in the logs when switching on ssl_bump
> > peek-and-splice, but I fail to write an ACL filtering for the ServerName in
> > the
> > hello to decide if the traffic should be bumped or not. Allowed sites should
> > simply go to the ssl_bump none option then. AND by using ssl_dump none, no
> > config change is required on the client.
>
> What about the not allowed sites?
ok you got me ;) - they are running in the default setting which means ssl_bump
server-first
and get an certificate error - but as they are trying to access a site not
allowed I don't really care about the error
as they will be redirected anyway in my environment and it's not important if
the squid sends the "wrong" certificate
to the client or the redirect webserver does.

> The currently committed Peek and Splice code may not be able to do what
> you want, but depending on what exactly you want to do, we are getting
> close to a usable state.
>
> If you do want to bump some connections, and are ready to configure
> clients accordingly, then you may want to monitor branch commit messages
> and try again in a week or two. Otherwise, it is likely that what you
> need is either impossible (bumping without knowledge or consent) or
> requires another feature on top of Peek and Splice (terminating
> connections after peeking at the server certificate to learn the server
> name).
I would be fine using the current setup with ssl_bump none for allowed sites and
bumping the not allowed sites with a certificate error. Changing the ACL from IP
to ServerName from the
hello messages would be good to get rid of the ip script to get the actual
server ips.

greetingx,
Alex
Received on Sun Apr 28 2013 - 23:24:43 MDT

This archive was generated by hypermail 2.2.0 : Mon Apr 29 2013 - 12:00:06 MDT