[prev in list] [next in list] [prev in thread] [next in thread]
List: squid-users
Subject: Re: [squid-users] Block and allow connections by CA
From: Alex Rousskov <rousskov () measurement-factory ! com>
Date: 2019-12-19 20:47:55
Message-ID: 17619774-5c6e-171d-87fe-0cdaf29393a1 () measurement-factory ! com
[Download RAW message or body]
On 12/19/19 5:56 AM, PatrĂcia Sousa wrote:
> I would like to have an IoT device that only receives and sends requests
> to and from certain devices that belong and are authenticated by a
> specific certificate authority. Is it possible to block all other
> connections or only allow connections from devices that belong to a
> specific CA?
Yes, I believe it is possible:
* Squid can check (via an https_port configuration option) that a TLS
client possesses a certificate signed by a specific CA.
* Squid can check (via a ca_cert ACL) that a TLS server uses a
certificate signed by a specific CA. This ACL can be applied during
SslBump step3 processing, but there may be a way to sneak it in without
using SslBump (or such a way can be added by modifying Squid).
If ca_cert options are not enough, Squid can check other server
certificate properties via a custom certificate validation daemon (which
you would have to write). Or one could add support for more properties
to the ca_cert ACL.
Alex.
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic