On sön, 2008-11-23 at 19:31 +0100, Philipp wrote: > > I would like to bump requests to sites with invalid certificates only. > > Sites that have valid SSL certificates should not be bumped (bump decision > > based on valitidy of the SSL cert).
That is somewhat hard to accomplish due to the way ssl operates. The SSL connection is intercepted by ssl bump before the connection to the requested web server is etablished. It can't be done after as the encryption has then already been negotiated end-to-end. But yes, it's theoretically possible by creating a temporary SSL connection to the requested site before deciding if the CONNECT request should be intercepted or not. One way to implement this would be via an external acl performing the temp SSL connection check. Apart from the helper performing the SSL connection probe this requires the ssl_bump access lookup to be reworked into a full (non-"fast") acl check (ClientHttpRequest::sslBumpNeeded). Regards Henrik
signature.asc
Description: This is a digitally signed message part
