Re: [Fwd: Re: sslBump: only bump requests to sites with invalid certificates]

From: Henrik Nordstrom <henrik_at_henriknordstrom.net>
Date: Tue, 25 Nov 2008 22:50:52 +0100

On sön, 2008-11-23 at 19:31 +0100, Philipp wrote:

> > I would like to bump requests to sites with invalid certificates only.
> > Sites that have valid SSL certificates should not be bumped (bump decision
> > based on valitidy of the SSL cert).

That is somewhat hard to accomplish due to the way ssl operates. The SSL
connection is intercepted by ssl bump before the connection to the
requested web server is etablished. It can't be done after as the
encryption has then already been negotiated end-to-end.

But yes, it's theoretically possible by creating a temporary SSL
connection to the requested site before deciding if the CONNECT request
should be intercepted or not.

One way to implement this would be via an external acl performing the
temp SSL connection check. Apart from the helper performing the SSL
connection probe this requires the ssl_bump access lookup to be reworked
into a full (non-"fast") acl check (ClientHttpRequest::sslBumpNeeded).

Regards
Henrik

Received on Tue Nov 25 2008 - 21:51:00 MST

This archive was generated by hypermail 2.2.0 : Wed Nov 26 2008 - 12:00:04 MST