Re: [squid-users] Ssl-Bump and revoked server certificates

2015-11-03 Thread Sebastian Kirschner
Hi, regarding my missing programming skills it is hard for me to understand the code. Regardless of that I have a suggestion that could be added to the code, hope it would work. These should add a "variable" SNI , these should be "called" from cert_validate_message.h/.cc and appended as new lin

Re: [squid-users] Ssl-Bump and revoked server certificates

2015-10-27 Thread Sebastian Kirschner
Hi Amos, > You may need to use key_extras feature for now to send the SNI logformat > value explicitly in a new key=value field. Could you give me a hint where I find informations about that ? I searched in Wiki and google but only find a possibility to sending key_extras for auth_param, also i

Re: [squid-users] Ssl-Bump and revoked server certificates

2015-10-26 Thread Amos Jeffries
On 27/10/2015 5:43 a.m., Sebastian Kirschner wrote: > Hi, > > in my squid setup the sslcrtvalidator_program doesn’t send the data´s that I > expect to the helper :-) . > The helper receive the data´s as described in the wiki , expect the "form" of > the domain, > here I would expect a FQDN or do

Re: [squid-users] Ssl-Bump and revoked server certificates

2015-10-26 Thread Sebastian Kirschner
Hi, in my squid setup the sslcrtvalidator_program doesn’t send the data´s that I expect to the helper :-) . The helper receive the data´s as described in the wiki , expect the "form" of the domain, here I would expect a FQDN or domain like google.de or ca.google.de but the helper receive a IP.

Re: [squid-users] Ssl-Bump and revoked server certificates

2015-10-22 Thread Amos Jeffries
On 23/10/2015 12:02 a.m., Sebastian Kirschner wrote: > Hi Amos , > > thanks for your reply. > > Maybe we got an misunderstanding or I have an "false" opinion of the sentence > I quoted before. > > I thought you could say to me what for checks would definitely performed in > "standard" installa

Re: [squid-users] Ssl-Bump and revoked server certificates

2015-10-22 Thread Sebastian Kirschner
ion. What from the response would be cached , the complete one or maybe only the sslhost and response code ? Would it be defined as byte in as the validator and speak ? -- Message: 4 Date: Thu, 22 Oct 2015 22:41:43 +1300 From: Amos Jeffries To: squid-users@lists.squid

Re: [squid-users] Ssl-Bump and revoked server certificates

2015-10-22 Thread Amos Jeffries
On 22/10/2015 7:22 p.m., Sebastian Kirschner wrote: > Hi, > > I have a question regarding the SSL Server Certificate Validator. > > In the Wiki is written: > "The helper will be optionally consulted after an internal OpenSSL validation > we do now, regardless of that validation results." > > Wh

Re: [squid-users] Ssl-Bump and revoked server certificates

2015-10-21 Thread Sebastian Kirschner
Hi, I have a question regarding the SSL Server Certificate Validator. In the Wiki is written: "The helper will be optionally consulted after an internal OpenSSL validation we do now, regardless of that validation results." What checks does the internal validation include ? Couldn't find any in

Re: [squid-users] Ssl-Bump and revoked server certificates

2015-10-20 Thread Walter H.
it was just the solution I did for myself, and brought it to the "public" AS IS. On 21.10.2015 00:53, Brett Lymn wrote: On Tue, Oct 20, 2015 at 12:45:57PM +0200, Walter H. wrote: The style guide-line is not compatible with mine (space - tab); which can be fixed mostly by indent(1) - that shoul

Re: [squid-users] Ssl-Bump and revoked server certificates

2015-10-20 Thread Brett Lymn
On Tue, Oct 20, 2015 at 12:45:57PM +0200, Walter H. wrote: > > The style guide-line is not compatible with mine (space - tab); > which can be fixed mostly by indent(1) - that shouldn't be a barrier. > by the way it is only C and only for Linux; > no Windows or other operating systems not confor

Re: [squid-users] Ssl-Bump and revoked server certificates

2015-10-20 Thread Walter H.
On 19.10.2015 01:01, Amos Jeffries wrote: If you are interested in getting this helper bundled with Squid No; the details on how to prepare and submit a patch to squid-dev mailing list are at: The style guide-line is not compatible with mine (spa

Re: [squid-users] Ssl-Bump and revoked server certificates

2015-10-18 Thread Amos Jeffries
On 19/10/2015 8:37 a.m., Walter H. wrote: > On 04.10.2015 21:08, Walter H. wrote: >> Hello, >> >> does anybody know if squid does certificate checks and how to tell >> squid to do so; >> >> this is a site with a revoked certificate >> https://revoked.grc.com/ >> >> without squid, the browser shows

Re: [squid-users] Ssl-Bump and revoked server certificates

2015-10-18 Thread Walter H.
On 04.10.2015 21:08, Walter H. wrote: Hello, does anybody know if squid does certificate checks and how to tell squid to do so; this is a site with a revoked certificate https://revoked.grc.com/ without squid, the browser shows that the certificate is revoked and doesn't show the page with

Re: [squid-users] Ssl-Bump and revoked server certificates

2015-10-14 Thread Sebastian Kirschner
Hi Walter, do you have an update regarding your correct certificate validator ? Mit freundlichen Grüßen / Best Regards Sebastian Kirschner ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Ssl-Bump and revoked server certificates

2015-10-07 Thread Walter H.
On 07.10.2015 16:48, Amos Jeffries wrote: or sslcrtvalidator_program cache=8192 ttl=240 /usr/lib64/squid/cert_valid.pl sslcrtvalidator_children 12 startup=5 idle=1 concurrency=1 can I have a working sample of valid_cert.pl that results in an "access denied" or any other error page of squid? An

Re: [squid-users] Ssl-Bump and revoked server certificates

2015-10-07 Thread Amos Jeffries
On 8/10/2015 3:17 a.m., Walter H. wrote: > On 07.10.2015 11:05, Amos Jeffries wrote: >> On 7/10/2015 4:27 a.m., Alex Rousskov wrote: >>> On 10/06/2015 01:27 AM, Jason Haar wrote: Good catch - I don't think squid does CRL/OCSP checks But this is a bug in squid - this means untrustworthy ce

Re: [squid-users] Ssl-Bump and revoked server certificates

2015-10-07 Thread Walter H.
On 07.10.2015 11:05, Amos Jeffries wrote: On 7/10/2015 4:27 a.m., Alex Rousskov wrote: On 10/06/2015 01:27 AM, Jason Haar wrote: Good catch - I don't think squid does CRL/OCSP checks But this is a bug in squid - this means untrustworthy certs become trusted again - not a good look IIRC, Squid

Re: [squid-users] Ssl-Bump and revoked server certificates

2015-10-07 Thread Amos Jeffries
On 7/10/2015 4:27 a.m., Alex Rousskov wrote: > On 10/06/2015 01:27 AM, Jason Haar wrote: >> Good catch - I don't think squid does CRL/OCSP checks > >> But this is a bug in squid - this means untrustworthy certs become >> trusted again - not a good look > > > IIRC, Squid relies on OpenSSL to perf

Re: [squid-users] Ssl-Bump and revoked server certificates

2015-10-06 Thread Jason Haar
On 07/10/15 13:56, Marcus Kool wrote: > > This sounds like an interesting script. Do you want to make this public? > And what about sites that use HSTS, can you also do a "GET /" and check > the headers for HSTS? Frankly it's a "script as you learn" type affair - it's not in any fit state to be re

Re: [squid-users] Ssl-Bump and revoked server certificates

2015-10-06 Thread Marcus Kool
On 10/06/2015 07:18 PM, Jason Haar wrote: On 06/10/15 23:21, Walter H. wrote: Hello, can you please provide an example of how to use this in squid.conf #create external acl checker that returns "ERR" or "OK" based on cert data sent to it external_acl_type checkIfHTTPS children-max=20 concur

Re: [squid-users] Ssl-Bump and revoked server certificates

2015-10-06 Thread Jason Haar
On 06/10/15 23:21, Walter H. wrote: > Hello, > > can you please provide an example of how to use this in squid.conf #create external acl checker that returns "ERR" or "OK" based on cert data sent to it external_acl_type checkIfHTTPS children-max=20 concurrency=20 negative_ttl=3600 ttl=3600 grace=9

Re: [squid-users] Ssl-Bump and revoked server certificates

2015-10-06 Thread Alex Rousskov
On 10/06/2015 01:27 AM, Jason Haar wrote: > Good catch - I don't think squid does CRL/OCSP checks > But this is a bug in squid - this means untrustworthy certs become > trusted again - not a good look IIRC, Squid relies on OpenSSL to perform CRL checks. OpenSSL is difficult to configure to do CR

Re: [squid-users] Ssl-Bump and revoked server certificates

2015-10-06 Thread Walter H.
Hello, can you please provide an example of how to use this in squid.conf by the way how would I use these sslcrtvalidator_program and sslcrtvalidator_children Thanks, Walter On Tue, October 6, 2015 09:27, Jason Haar wrote: > Good catch - I don't think squid does CRL/OCSP checks > > I'm using

Re: [squid-users] Ssl-Bump and revoked server certificates

2015-10-06 Thread Jason Haar
Good catch - I don't think squid does CRL/OCSP checks I'm using the external_acl_type method to achieve that: it does the extra work and returns "ERR" for revoked certs - which (for me) causes squid to fallback on splice mode - so that the client browser can see the actual fault directly (ie I'm m

Re: [squid-users] Ssl-Bump and revoked server certificates

2015-10-04 Thread Walter H.
On 04.10.2015 21:08, Walter H. wrote: Hello, does anybody know if squid does certificate checks and how to tell squid to do so; this is a site with a revoked certificate https://revoked.grc.com/ without squid, the browser shows that the certificate is revoked and doesn't show the page with

[squid-users] Ssl-Bump and revoked server certificates

2015-10-04 Thread Walter H.
Hello, does anybody know if squid does certificate checks and how to tell squid to do so; this is a site with a revoked certificate https://revoked.grc.com/ without squid, the browser shows that the certificate is revoked and doesn't show the page with squid, the page is shown ... Thanks,