Re: [PATCH] SSL server certificate fingerprint ACL type

From: Tsantilas Christos <chtsanti_at_users.sourceforge.net>
Date: Wed, 21 Nov 2012 22:15:33 +0200

If there is not any objection I will commit this patch to trunk

On 11/14/2012 02:12 PM, Tsantilas Christos wrote:
> SSL server certificate fingerprint ACL type
>
> This patch add the "server_ssl_cert_fingerprint" acl type to match
> against server SSL certificate fingerprint.
> The new acl type has the form:
> acl aclname server_ssl_cert_fingerprint [-sha1] fingerprint1 ...
>
> The fingerprint must given in the form:
> XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
> where X are any valid hexadecimal number
>
> Example usage:
> acl BrokeServer dst 192.168.1.23
> acl GoodCert server_ssl_cert_fingerprint
> AB:2A:82:AF:46:AE:1F:31:21:74:65:BF:56:47:25:D1:87:51:41:AE
> sslproxy_cert_error allow BrokeServer GoodCert
> sslproxy_cert_error deny all
>
> Someone can retrieve the fingerprint of a certificate using the openssl
> command:
> # openssl x509 -fingerprint -in test.pem -noout
> # openssl s_client -host www.paypal.com -port 443 2> /dev/null |
> openssl x509 -fingerprint -noout
>
>
> This is a Measurement Factory project
>
Received on Wed Nov 21 2012 - 20:15:42 MST

This archive was generated by hypermail 2.2.0 : Thu Nov 22 2012 - 12:00:08 MST