Seems to me it would be more useful as an external ACL so that a decision could be made based on other factors eg src or dstdomain whether to deny or allow the un-bumpable connection.
On Sun, Jan 4, 2015 at 4:29 PM, Yuri Voinov <yvoi...@gmail.com> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > As I can see, we have two major problems with SSL Bump now. > > 1. Stupid apps and it's stupid developers - like ICQ and other stupid IM - > which is hope 443 port is never be blocked due to using for logons/internet > banking etc. > This stupid way broke standards (?) and make us crazy. Now single solution > is catch them manually and pass it without bumping. This is the simplest > problem. And I hope it will be solved in core - i.e. in Squid directly. > > 2. SSL Pinned sites. We cannot do with them anything excluding sniff it > and pass by IP without bump. > > First problems seems to solve easy. Either by helper, or by squid - no > matter. It's really simple. Just check SSL cert on server side - and make > decision - to bump, or not to bump. > > The second problem seems difficult and now I can't see any reasonable > solution, excluding sniffer/manual add to acl. > > Any ideas? Will be write helper? > > WBR, Yuri > > 05.01.2015 2:17, Douglas Davenport пишет: > > I saw a very similar feature in ufdbGuard which is a URL filter > implemented as a Squid Redirector. They have a feature which probes the > destination server for a valid HTTPS cert in parallel to the user's > connection and terminates it if it turns out not to be a valid HTTPS cert. > Their code is open source, maybe this could be helpful in creating such a > helper? > > > > http://www.urlfilterdb.com/home.html > > > > On Sat, Jan 3, 2015 at 3:45 AM, Yuri Voinov <yvoi...@gmail.com > <mailto:yvoi...@gmail.com> <yvoi...@gmail.com>> wrote: > > > > > > Term "HTTPS" often uses as "Any connect over 443 port".... > > > > 03.01.2015 13:59, Jason Haar пишет: > > > On 01/01/15 00:11, James Harper wrote: > > >> The helper connects to the IP:port and tries to obtain the > > certificate, and then caches the result (in an sqlite database). If it > > can't do so within a fairly short time it returns failure (but keeps > > trying a bit longer and caches it for next time). Alternatively if the > > IP used to be SSL but is now timing out it returns the previously cached > > value. Negative results are cached for an increasing amount of time each > > time it fails, on the basis that it probably isn't SSL. > > > That sounds great James! I'd certainly like to take a look at it too > > > > > However, you say "SSL" - did you mean "HTTPS"? ie discovering a > ip:port > > > is a IMAPS server doesn't really help squid talk to it - surely you > want > > > to discover HTTPS servers - and everything else should be > > > pass-through/splice? > > > > > > > > _______________________________________________ > > squid-users mailing list > > squid-users@lists.squid-cache.org > <mailto:squid-users@lists.squid-cache.org> > <squid-users@lists.squid-cache.org> > > http://lists.squid-cache.org/listinfo/squid-users > > > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > > iQEcBAEBAgAGBQJUqbC7AAoJENNXIZxhPexGwwkH/j8XR2fQ4v/r3M2zFuDuhVsP > JZMM93IvZrGYRzJjAmmwg7ZUoYdwWWEaXoY6GygO+RdZESWfPvh00cSsxwRKfmvm > 2s7sLDKlPnfUsf9fyWnihCtJg9hETZTsvUqK9I+iopiM1DHq/qwX3Pjkb2e2T45u > JuqU5ySBZPEt6G1gRn/+F2EyHdhWpa9OOtfeTAt4/oaJIuLoHP7855fif/1eg59U > QlISZkLjDcL4DqEVM+9UJh9TSN+dawj/Ks+3b+MT8sA/xvVdOyqhLMqnm4MPadSv > yvK5nQWW4rkfHOJ1zwWq3hAMLjCIXjY4q1NxNQAxdK5ESZvszecvXg3JMKo/THw= > =Ygen > -----END PGP SIGNATURE----- > > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users