If there is not any objection I will commit this patch to trunk
On 11/14/2012 02:12 PM, Tsantilas Christos wrote: > SSL server certificate fingerprint ACL type > > This patch add the "server_ssl_cert_fingerprint" acl type to match > against server SSL certificate fingerprint. > The new acl type has the form: > acl aclname server_ssl_cert_fingerprint [-sha1] fingerprint1 ... > > The fingerprint must given in the form: > XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX > where X are any valid hexadecimal number > > Example usage: > acl BrokeServer dst 192.168.1.23 > acl GoodCert server_ssl_cert_fingerprint > AB:2A:82:AF:46:AE:1F:31:21:74:65:BF:56:47:25:D1:87:51:41:AE > sslproxy_cert_error allow BrokeServer GoodCert > sslproxy_cert_error deny all > > Someone can retrieve the fingerprint of a certificate using the openssl > command: > # openssl x509 -fingerprint -in test.pem -noout > # openssl s_client -host www.paypal.com -port 443 2> /dev/null | > openssl x509 -fingerprint -noout > > > This is a Measurement Factory project >
