*nix Thread, Blocking invalid ssl certs with Squid in Technical; ...and Dansguardian
We have the usual proxy avoidance problems - the http ones can be blocked via regular expressions, and ...
25th February 2008, 03:04 PM #1
Blocking invalid ssl certs with Squid
We have the usual proxy avoidance problems - the http ones can be blocked via regular expressions, and the http redirector for the https one can also be blocked by regular expression. This leaves direction connections to https:// site to be blocked when the logs are parsed.
I wondered if there's a way to block based on an unsigned/self-signed ssl certificate, but I'm unsure how to go about it and I found ufdbGuard at http://www.urlfilterdb.com which says it can check for invalid ssl certs.
Has anyone else found ways to detect this?
So far I can check if a certificate has expired by using http://prefetch.net/articles/checkcertificate.html
I'm thinking of something like:
User requests ssl_site -> squid/dansguardian sees request and issues its own request to ssl_site, openssl checks that certificate is trusted and user request is either processed or denied. Checked and ok sites could be cached for "X" amount of time.
I just haven't worked out the mechanics or the overhead this would place on each request.
Last edited by pete; 25th February 2008 at 03:42 PM.
25th February 2008, 04:19 PM #2
25th February 2008, 05:00 PM #3
just looking at it now - are you using it Geoff?
25th February 2008, 05:37 PM #4
FWIW, this feature will be in Guardian08 feature-pack1, we believe it will do a lot to alleviate https circumvention proxies.
25th February 2008, 08:03 PM #5
Nice to hear, I'm going to upgrade Schools Guardian 2008 in the next couple of weeks
Originally Posted by tom_newton
Any ETA for SP1?
26th February 2008, 01:12 AM #6
No, but planning to.
Originally Posted by pete
26th February 2008, 09:36 AM #7
It should be out in late June, early July, all things being equal, with the general aim to get a release before you lot go on yer summer hols. There should be a couple of interesting new bits in there... new reports, some new controls in guardian... user delegated reporting.. hmm, best go poke the dev team with something sharp
Originally Posted by steve
4th August 2008, 02:50 PM #8
Thread resurrection, since it may be useful to others
Just a quick note to say I've got ufdbguard working and it's rather good. I'm using it in conjunction with dansguardian as a means to block invalid ssl certs and identify ssl proxy tunnels.
Tip: to give it a list of valid trusted SSL certs/CAs, copy (or symlink) /etc/ssl/cert/ca-certificates.crt to $ufdbinstalldir/blacklists/security/cacerts.
2008-08-04 13:45:01  SSL certificate common name `localhost.localdomain' doesn't match hostname `www.magnetmice.com' *****
2008-08-04 13:45:02  BLOCK - IPADDRESS allSystems security www.magnetmice.com:443 -
2008-08-04 13:45:07  BLOCK - IPADDRESS allSystems security www.magnetmice.com:443 -
2008-08-04 13:45:15  SSL certificate for thornfruit.com: unrecognised issuer
2008-08-04 13:45:15  issuer: /C=Y1/ST=6Asx5bsLCQ/L=Aj8zmKQJ7f/O=mz7lirB8PgDrbbCTdKiX/OU=50FfS/CN=ygd3gIDRiOV/emailAddress=yUoU1vvP@uL3cMg.com *****
2008-08-04 13:45:15  this issuer is not a recognised certificate authority
2008-08-04 13:45:15  SSL certificate common name `rwGR9ZhA2i4y' doesn't match hostname `thornfruit.com' *****
2008-08-04 13:45:28  BLOCK - IPADDRESS allSystems security thornfruit.com:443 -
*waits to see how many curriculum web-based apps use dodgy certs*
By timbo343 in forum Windows
Last Post: 30th September 2010, 06:10 AM
By Dos_Box in forum Windows
Last Post: 3rd June 2008, 11:27 AM
By beeswax in forum ICT KS3 SATS Tests
Last Post: 2nd March 2007, 11:23 AM
By ptrainor1 in forum Windows
Last Post: 17th March 2006, 11:00 AM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)