OK then. If it's doable then it's only waiting for the client who will want to fund this feature.
Thanks, Eliezer ---- Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: [email protected] -----Original Message----- From: Alex Rousskov [mailto:[email protected]] Sent: Thursday, February 22, 2018 23:19 To: Eliezer Croitoru <[email protected]>; [email protected] Subject: Re: [squid-dev] SSL-BUMP distinguish between mobile devices such as IOS or ANDROID vs PC request On 02/22/2018 11:56 AM, Eliezer Croitoru wrote: > I was wondering about the options to distinguish mobile devices TLS\SSL > requests compared to PC one's. You need ACLs that can match various TLS Client Hello fields (mostly message version, protocol version, and ciphers) and a knowledgebase of typical Hellos for the devices/clients you are interested in. A Hello-based solution cannot be 100% reliable, but I bet you can identify many popular OS versions (and, as a consequence, even some physical devices) with a good-enough probability (for most applications). IIRC, Squid does not have ACLs that interrogate TLS Client Hello with the exception of SNI (i.e., ssl::server_name --client_requested). However, it should not be very difficult to add such ACLs and they would be generally useful IMO. Forward proxies can also examine CONNECT headers. That is already supported AFAIK. Examining TCP/IP packet headers would also be useful in many cases, but that is harder to do directly in Squid. HTH, Alex. _______________________________________________ squid-dev mailing list [email protected] http://lists.squid-cache.org/listinfo/squid-dev
