Philipp wrote: > Hi > > I would like to bump requests to sites with invalid certificates only. > Sites that have valid SSL certificates should not be bumped (bump decision > based on valitidy of the SSL cert). > > First, I tried this ACL: > acl InvalidCert ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH > acl InvalidCert ssl_error X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT > acl InvalidCert ssl_error X509_V_ERR_CERT_NOT_YET_VALID > acl InvalidCert ssl_error X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD > acl InvalidCert ssl_error X509_V_ERR_CERT_HAS_EXPIRED > acl InvalidCert ssl_error X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD > acl InvalidCert ssl_error X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY > ssl_bump allow InvalidCert > ssl_bump deny all > > Result: Squid uses CONNECT for https. > Interpretation: 'ssl_bump deny all' always matches. > > > Second, I tried this ACL: > acl NoSSLError ssl_error SSL_ERROR_NONE > ssl_bump deny NoSSLError > ssl_bump allow all > > Result: Squid uses CONNECT for https. > Interpretation: 'ssl_bump deny NoSSLError' always matches. > > > Last, I also tried "normal" ACLs such as: > ACL whitelisted dstdomain .somedomain.com > ssl_bump deny whitelisted > ssl_bump allow all > > This works as expected. If .somedomain.com is https, Squid uses CONNECT. > All other https sites are bumped. > > > I am aware of that the ssl_error ACL type is not documented (at least I > could not find any). > I'm trying this setup with Squid 3.1.0.2. > Can this sort of ACL (bump decision based on validity of Cert) be done or > is this a bug? >
Looks like its probably a bug. Please report it so the sslbump guys can check. Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 Current Beta Squid 3.1.0.2
