Hi
I would like to bump requests to sites with invalid certificates only.
Sites that have valid SSL certificates should not be bumped (bump decision
based on valitidy of the SSL cert).
First, I tried this ACL:
acl InvalidCert ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
acl InvalidCert ssl_error X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT
acl InvalidCert ssl_error X509_V_ERR_CERT_NOT_YET_VALID
acl InvalidCert ssl_error X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
acl InvalidCert ssl_error X509_V_ERR_CERT_HAS_EXPIRED
acl InvalidCert ssl_error X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
acl InvalidCert ssl_error X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
ssl_bump allow InvalidCert
ssl_bump deny all
Result: Squid uses CONNECT for https.
Interpretation: 'ssl_bump deny all' always matches.
Second, I tried this ACL:
acl NoSSLError ssl_error SSL_ERROR_NONE
ssl_bump deny NoSSLError
ssl_bump allow all
Result: Squid uses CONNECT for https.
Interpretation: 'ssl_bump deny NoSSLError' always matches.
Last, I also tried "normal" ACLs such as:
ACL whitelisted dstdomain .somedomain.com
ssl_bump deny whitelisted
ssl_bump allow all
This works as expected. If .somedomain.com is https, Squid uses CONNECT.
All other https sites are bumped.
I am aware of that the ssl_error ACL type is not documented (at least I
could not find any).
I'm trying this setup with Squid 3.1.0.2.
Can this sort of ACL (bump decision based on validity of Cert) be done or
is this a bug?
Thanks,
Philipp
Received on Sun Nov 23 2008 - 11:15:39 MST
This archive was generated by hypermail 2.2.0 : Sun Nov 23 2008 - 12:00:04 MST