Well. You can't really open "decipher" ssl without changing certificate, but you can exclude some sites from ssl bumping.
Eero On Tue, Aug 21, 2018 at 9:31 AM Mimiko <vbv...@gmail.com> wrote: > Thank you all for suggestions. > > Yes, I didn't tell my goal. First of course is to limit access to web > sites and collect statistics. Yes this could be done with squid and > ssl_bump. I > hope this does not change certificate as internet-banking will not work. > The problem for a quick implementation is with need of squid recompile to > support ssl. > > The second goal is intercept packets on other ports for limiting services, > like skype, teamviewer (especially). > > For now I use iptables -m string --algo kmp --to 65535 --string to > intercept some strings on conenction and block access to some sites by > domain name. > But this will not allow me to block access to all sites and allow access > to only several sites. > > I was looking for a quick implementation. > > l7filter was interesting for me, but it is not supported anymore. nDPI > scares me with patching kernel. And OpenDPI is not in repository. > > I will try to implement OpenDPI by compiling, also as squid, but this is a > long process. > > As I read for snort, suricata, zorp - it is a self contained firewall. I > use a standard Debian installation where I run several different services. > > Thanks again. > >
