Its called certificate pinning: https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
Nir. On Sat, Jan 2, 2016 at 9:11 PM, Alejandro Martinez <ajm.marti...@gmail.com> wrote: > Hi all, > > I'm using squid 3.5.12. > > This is my relevant config: > > *http_port 881* > *http_port 880 intercept* > *https_port 843 intercept ssl-bump generate-host-certificates=on > dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/cert.pem key=* > */usr/local/squid/etc**/cert.pem options=NO_SSLv3:NO_SSLv2 > cipher=ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH* > *sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s * > */usr/local/squid/etc/**ssl/certs -M 4MB sslcrtd_children 8 startup=1 > idle=1* > > *#### Denied Users* > *acl equipos_denegados src "**/usr/local/squid/etc**/equipos_denegados"* > *http_access deny equipos_denegados* > *deny_info DENY equipos_denegados* > > *#### Allowed users* > *acl equipos_permitidos src "/**usr/local/squid/etc**/equipos_permitidos"* > *http_access allow equipos_permitidos* > *####* > > *#### Denied Sites* > *acl sitios_denegados dstdomain "**/usr/local/squid/etc* > */sitiosdenegados"* > *http_access deny sitios_denegados* > *####* > > *#### Block HTTPS* > *acl blockhttps ssl::server_name "/**usr/local/squid/etc* > */sitiosdenegados"* > *ssl_bump terminate blockhttps* > *ssl_bump splice equipos_permitidos* > *ssl_bump peek all* > *ssl_bump splice all* > *####* > > *sslproxy_cert_error allow all* > *sslproxy_flags DONT_VERIFY_PEER* > *sslproxy_options NO_SSLv3:NO_SSLv2* > > > Basically I'm using squid to allow everything and deniy some users (hosts) > and some sites (http and https). > > If I use IE or Firefox (Win/Lin), everything works great, if I access a > site via HTTP the user see a message and if he access via HTTPS the > conecction is terminated and there is an error on the browser. > > But, If I access any google site using chrome (windows / linux) the sites > are getting bumped (google.com, google.com.X youtube.com, etc) > > The browser complains with a "Your conecction is not private" and the > certificate is my own certificate. > > I'm missing something ? > > I only what to splice everythng. > > Thanks > > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
