Re: [squid-users] Only permitting SSL traffic on CONNECT?

From: Matus UHLAR - fantomas <uhlar@dont-contact.us>
Date: Mon, 30 May 2005 09:05:05 +0200

On 29.05 20:27, Florian Effenberger wrote:
> is it possible to only permit SSL traffic on CONNECT? When I have
> CONNECT on 443 open, a user could theoretically open up its own server
> listening on port 443 and tunnel through my proxy...

yes. However, you would need filter that would detect the used protocol.
I'm afraid it's currently impossible to push such filter to squid w/o
patching and recompiling it.

Also, I'm not 100% sure that it's easy to detect ssl negotiation and refuse
connection if it's not used (note that TLS negotiation is in some cases
requested after initisl handshake)

Last, when SSL is used, you even can't tell what protocol is inside of it.

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
LSD will make your ECS screen display 16.7 million colors
Received on Mon May 30 2005 - 01:05:08 MDT

This archive was generated by hypermail pre-2.1.9 : Wed Jun 01 2005 - 12:00:03 MDT