[prev in list] [next in list] [prev in thread] [next in thread] 

List:       squid-dev
Subject:    Re: [Fwd: Re: sslBump: only bump requests to sites with invalid
From:       Henrik Nordstrom <henrik () henriknordstrom ! net>
Date:       2008-11-25 21:50:52
Message-ID: 1227649852.16488.14.camel () henriknordstrom ! net
[Download RAW message or body]


On sön, 2008-11-23 at 19:31 +0100, Philipp wrote:

> > I would like to bump requests to sites with invalid certificates only.
> > Sites that have valid SSL certificates should not be bumped (bump decision
> > based on valitidy of the SSL cert).

That is somewhat hard to accomplish due to the way ssl operates. The SSL
connection is intercepted by ssl bump before the connection to the
requested web server is etablished. It can't be done after as the
encryption has then already been negotiated end-to-end.

But yes, it's theoretically possible by creating a temporary SSL
connection to the requested site before deciding if the CONNECT request
should be intercepted or not. 

One way to implement this would be via an external acl performing the
temp SSL connection check. Apart from the helper performing the SSL
connection probe this requires the ssl_bump access lookup to be reworked
into a full (non-"fast") acl check (ClientHttpRequest::sslBumpNeeded).

Regards
Henrik

["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]