Nice.
FYI, this script doing its own certificate lookup risks reaching a
server providing a different server-cert than the one Squid connects to.
Same problem as seen when allowing clients based on future dst-IPs.
IMO this would be a good reason for adding a "server_cert" ACL type, to
match server certificate attributes like the existing "user_cert" type
does for client certs. It needs to be the "fast"/synchronous type of ACL
to be used by ssl_bump access control.
Cheers
Amos
On 11/02/2026 09:03, NgTech LTD wrote:
Hey,
I have been wondering to what websites we can disable tls inspection
automatically.
There are sites like banks which has EV certificates.
It's pretty easy to just allow these sites to not be bumped by squid or
any other DPI systems.
In the past I had an issue with couple appliances which implement DPI
and TLS inspection.
All of them automatically inspect banks and many other sites without any
way other then
manually adding specific domains or ip addresses to the exceptions list.
I have the next example script in python:
```
import ssl
import socket
from cryptography import x509
def analyze_site_security(hostname):
# 1. Define the standard EV OID
EV_OID = "2.23.140.1.1"
context = ssl.create_default_context()
try:
with socket.create_connection((hostname, 443), timeout=5) as sock:
with context.wrap_socket(sock, server_hostname=hostname) as
ssock:
# Get the binary certificate
bin_cert = ssock.getpeercert(binary_form=True)
cert = x509.load_der_x509_certificate(bin_cert)
# Extract Organization and Policy OIDs
subject = cert.subject
org_name = next((attr.value for attr in subject if
attr.oid.dotted_string == "2.5.4.10"), "N/A")
# Check for EV OIDs in extensions
is_ev = False
try:
policies =
cert.extensions.get_extension_for_oid(x509.oid.ExtensionOID.CERTIFICATE_POLICIES)
for policy in policies.value:
if policy.policy_identifier.dotted_string ==
EV_OID:
is_ev = True
except:
pass
return {
"site": hostname,
"is_ev_certified": is_ev,
"organization": org_name,
"tls_version": ssock.version(),
"likely_pci_entity": is_ev and (ssock.version() in
['TLSv1.2', 'TLSv1.3'])
}
except Exception as e:
return {"error": str(e)}
# Testing it out
print(analyze_site_security("www.paypal.com <http://www.paypal.com>"))
print(analyze_site_security("www.google.com <http://www.google.com>"))
```
It can be converted and modify a bit to be an external_acl helper or
external service that will get couple details on the connection like ip
address+port+domain and will just trigger a tls inspection bypass for
the relevant sites automatically.
I hope it helps anyone.
Eliezer
----
אליעזר קרויטורו
תמיכה טכנית, משיב הרוח ומוריד הגשם
נייד: 052-8704261
מייל: [email protected] <mailto:[email protected]>
_______________________________________________
squid-users mailing list
[email protected]
https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[email protected]
https://lists.squid-cache.org/listinfo/squid-users
