On 20/01/2013 01:24, Amos Jeffries wrote:
> On 19/01/2013 3:37 a.m., vincent viard wrote:
>> Hello,
>>
>> I ask you about the feasibility of achieving an validation server
>> certificates used during session establishment SSL/TLS in HTTPS at the
>> level of SQUID proxy ?
>> The idea is not to break the SSL session with a man-in-the-middle (ex.
>> SSLBump), but to authenticate (and to authorize) the target with a
>> white or black list of CAs. In other words, realize with Squid, the
>> first validation of the SSL handshake logically made by the client
>> browser on the certificate of server.
>>
>> In advance, thank you and good day.
>>
>> Vince
>
> Please see http://wiki.squid-cache.org/Features/SslServerCertValidator
>
> This feature is merged and will be in 3.4 series when it is released.
> To use it now you need to build the 3.HEAD Squid sources.
>
Can squid handle a slightly simpler case where we want to restrict
CONNECT access to servers which meet/fail to match a certain SSL cname?
eg I want to block facebook access, but without sslbump, so I allow SSL
proxying, but deny connections to servers with an SSL cname *.facebook.com?
Thanks
Ed W
Received on Sat Feb 09 2013 - 18:59:01 MST
This archive was generated by hypermail 2.2.0 : Tue Feb 12 2013 - 12:00:05 MST