[squid-users] EV check script for domains

Tue, 10 Feb 2026 12:03:47 -0800 

Hey,

I have been wondering to what websites we can disable tls inspection
automatically.
There are sites like banks which has EV certificates.
It's pretty easy to just allow these sites to not be bumped by squid or any
other DPI systems.
In the past I had an issue with couple appliances which implement DPI and
TLS inspection.
All of them automatically inspect banks and many other sites without any
way other then
manually adding specific domains or ip addresses to the exceptions list.
I have the next example script in python:
```
import ssl
import socket
from cryptography import x509

def analyze_site_security(hostname):
    # 1. Define the standard EV OID
    EV_OID = "2.23.140.1.1"

    context = ssl.create_default_context()
    try:
        with socket.create_connection((hostname, 443), timeout=5) as sock:
            with context.wrap_socket(sock, server_hostname=hostname) as
ssock:
                # Get the binary certificate
                bin_cert = ssock.getpeercert(binary_form=True)
                cert = x509.load_der_x509_certificate(bin_cert)

                # Extract Organization and Policy OIDs
                subject = cert.subject
                org_name = next((attr.value for attr in subject if
attr.oid.dotted_string == "2.5.4.10"), "N/A")

                # Check for EV OIDs in extensions
                is_ev = False
                try:
                    policies =
cert.extensions.get_extension_for_oid(x509.oid.ExtensionOID.CERTIFICATE_POLICIES)
                    for policy in policies.value:
                        if policy.policy_identifier.dotted_string == EV_OID:
                            is_ev = True
                except:
                    pass

                return {
                    "site": hostname,
                    "is_ev_certified": is_ev,
                    "organization": org_name,
                    "tls_version": ssock.version(),
                    "likely_pci_entity": is_ev and (ssock.version() in
['TLSv1.2', 'TLSv1.3'])
                }
    except Exception as e:
        return {"error": str(e)}

# Testing it out
print(analyze_site_security("www.paypal.com"))
print(analyze_site_security("www.google.com"))
```

It can be converted and modify a bit to be an external_acl helper or
external service that will get couple details on the connection like ip
address+port+domain and will just trigger a tls inspection bypass for the
relevant sites automatically.

I hope it helps anyone.

Eliezer
----
אליעזר קרויטורו
תמיכה טכנית, משיב הרוח ומוריד הגשם
נייד: 052-8704261
מייל: [email protected]

_______________________________________________
squid-users mailing list
[email protected]
https://lists.squid-cache.org/listinfo/squid-users

Reply via email to