1

I need to filter HTTPS traffic based on the certificate of the destination server. Only traffic to servers which have a certain certificate should be allowed, other traffic needs to be blocked. The proxy must be transparent. How can this be achieved? Is squid 3.5+ peek and splice an option? If yes, are there instructions for this task?

Edit: the proxy should be passive. Are there tutorials or instructions how my requirement can be done using a passive proxy?

MarcJ
  • 11
  • 2
  • It is not clear from the question if the proxy should be passive only (just checks certificate) or active (man in the middle, creates new certificate, proxy CA must be trusted by the client). In the active case this can be done, in the passive case there will be problems with TLS 1.3 since the certificate is encrypted and with session resumption since no certificate will be send at all. – Steffen Ullrich Feb 04 '19 at 02:07
  • Thank you. If it is not possible to do this with a passive proxy, do you know where I can find instructions for active proxy? Would the destination server know if an active proxy was used? – MarcJ Feb 04 '19 at 05:07
  • There are several guides on how to configure active ssl bumping with transparent squid, like [this one](http://roberts.bplaced.net/index.php/linux-guides/centos-6-guides/proxy-server/squid-transparent-proxy-http-https). The restrictions you want should be doable with the `acl aclname ssl::server_name` ACL. As for the second question in the comment see [Detect man-in-the-middle on server side for HTTPS](https://security.stackexchange.com/questions/110599/detect-man-in-the-middle-on-server-side-for-https). – Steffen Ullrich Feb 04 '19 at 05:24

0 Answers0