Blocking invalid ssl certs with Squid

[pete]

...and Dansguardian

We have the usual proxy avoidance problems - the http ones can be blocked via regular expressions, and the http redirector for the https one can also be blocked by regular expression. This leaves direction connections to https:// site to be blocked when the logs are parsed.

I wondered if there's a way to block based on an unsigned/self-signed ssl certificate, but I'm unsure how to go about it and I found ufdbGuard at http://www.urlfilterdb.com which says it can check for invalid ssl certs.

Has anyone else found ways to detect this?

So far I can check if a certificate has expired by using http://prefetch.net/articles/checkcertificate.html

I'm thinking of something like:
User requests ssl_site -> squid/dansguardian sees request and issues its own request to ssl_site, openssl checks that certificate is trusted and user request is either processed or denied. Checked and ok sites could be cached for "X" amount of time.

I just haven't worked out the mechanics or the overhead this would place on each request.

[Geoff]

ufdbguard can do this.

http://sourceforge.net/projects/ufdbguard/

[pete]

just looking at it now - are you using it Geoff?

[tom_newton]

FWIW, this feature will be in Guardian08 feature-pack1, we believe it will do a lot to alleviate https circumvention proxies.

[steve]

FWIW, this feature will be in Guardian08 feature-pack1, we believe it will do a lot to alleviate https circumvention proxies.

Nice to hear, I'm going to upgrade Schools Guardian 2008 in the next couple of weeks

Any ETA for SP1?

[Geoff]

just looking at it now - are you using it Geoff?

No, but planning to.

[tom_newton]

Nice to hear, I'm going to upgrade Schools Guardian 2008 in the next couple of weeks

Any ETA for SP1?

It should be out in late June, early July, all things being equal, with the general aim to get a release before you lot go on yer summer hols. There should be a couple of interesting new bits in there... new reports, some new controls in guardian... user delegated reporting.. hmm, best go poke the dev team with something sharp

[pete]

Just a quick note to say I've got ufdbguard working and it's rather good. I'm using it in conjunction with dansguardian as a means to block invalid ssl certs and identify ssl proxy tunnels.

Example results:

Code:

2008-08-04 13:45:01 [10722] SSL certificate common name `localhost.localdomain' doesn't match hostname `www.magnetmice.com' *****
2008-08-04 13:45:02 [10722] BLOCK - IPADDRESS allSystems security www.magnetmice.com:443 -
2008-08-04 13:45:07 [10722] BLOCK - IPADDRESS allSystems security www.magnetmice.com:443 -
2008-08-04 13:45:15 [10722] SSL certificate for thornfruit.com: unrecognised issuer
2008-08-04 13:45:15 [10722]    issuer: /C=Y1/ST=6Asx5bsLCQ/L=Aj8zmKQJ7f/O=mz7lirB8PgDrbbCTdKiX/OU=50FfS/CN=ygd3gIDRiOV/emailAddress=yUoU1vvP@uL3cMg.com *****
2008-08-04 13:45:15 [10722]    this issuer is not a recognised certificate authority
2008-08-04 13:45:15 [10722] SSL certificate common name `rwGR9ZhA2i4y' doesn't match hostname `thornfruit.com' *****
2008-08-04 13:45:28 [10722] BLOCK - IPADDRESS allSystems security thornfruit.com:443 -

Tip: to give it a list of valid trusted SSL certs/CAs, copy (or symlink) /etc/ssl/cert/ca-certificates.crt to $ufdbinstalldir/blacklists/security/cacerts.

*waits to see how many curriculum web-based apps use dodgy certs*