I've written a little helper to do ssl callouts to determine if the server is running ssl at all (eg not tunnelling over ssl), and also to be able to do limited ACL on CN/SAN. The main limitation is the way larger organisations will often have one SSL cert that covers many URLS (eg google cert also covers google.com, youtube.com etc).
Currently I need to do it like: external_acl_type cert_callout %DST %PORT /usr/local/squid/libexec/ext_cert_callout_acl acl banks dstdomain .bigbank.com acl banks dstdomain .otherbank.com acl is_ssl external cert_callout IS_SSL acl banks_callout external cert_callout SAN .bigbank.com acl banks_callout external cert_callout SAN .otherbank.com ssl_bump splice !is_ssl ssl_bump splice banks ssl_bump splice banks_callout ssl_bump bump all But I'd rather not have to maintain the banks and the banks_callout lists separately when they are identical. Apart from sticking them in a separate file, are there any shortcuts I can take? Also, it would be good if squid could make use of the CN from the certificate for logging, so instead of "CONNECT <IP>:<PORT>", I could log "CONNECT <CN>:<PORT>", which would really clean up the logs (apart from the cases mentioned above). I think I can use tag= or log=, but that would preclude me from using them for anything else (I'm not using them for anything else at the moment but still...) Thanks James _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
