On 06/08/12 22:57, Felix Fietkau wrote: >> Do you have any solution? > There really is no good way to filter HTTPS traffic. It requires > intercepting the SSL connection and doing a man-in-the-middle-attack on > it, which requires a certificate (otherwise it'll trigger nasty warnings > on the client side). You could have automatic whitelisting for IPs > based on DNS requests, but that's complex and probably unreliable. What about intercepting SNI? All modern browsers announce the URL they are requesting in the intial phase of the SSL handshare and before the connection is authenticated [1]. Anyway, just a thought which came up, not sure if it's actually possible after all, but maybe worth the research.
1: http://en.gentoo-wiki.com/wiki/Apache2/SSL_and_Name_Based_Virtual_Hosts _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
