+ Post New Thread
Results 1 to 8 of 8
*nix Thread, Blocking invalid ssl certs with Squid in Technical; ...and Dansguardian We have the usual proxy avoidance problems - the http ones can be blocked via regular expressions, and ...
  1. #1


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,649
    Thank Post
    275
    Thanked 780 Times in 607 Posts
    Rep Power
    224

    Blocking invalid ssl certs with Squid

    ...and Dansguardian

    We have the usual proxy avoidance problems - the http ones can be blocked via regular expressions, and the http redirector for the https one can also be blocked by regular expression. This leaves direction connections to https:// site to be blocked when the logs are parsed.

    I wondered if there's a way to block based on an unsigned/self-signed ssl certificate, but I'm unsure how to go about it and I found ufdbGuard at http://www.urlfilterdb.com which says it can check for invalid ssl certs.

    Has anyone else found ways to detect this?

    So far I can check if a certificate has expired by using http://prefetch.net/articles/checkcertificate.html

    I'm thinking of something like:
    User requests ssl_site -> squid/dansguardian sees request and issues its own request to ssl_site, openssl checks that certificate is trusted and user request is either processed or denied. Checked and ok sites could be cached for "X" amount of time.

    I just haven't worked out the mechanics or the overhead this would place on each request.
    Last edited by pete; 25th February 2008 at 02:42 PM.

  2. #2

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,804
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

  3. #3


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,649
    Thank Post
    275
    Thanked 780 Times in 607 Posts
    Rep Power
    224
    just looking at it now - are you using it Geoff?

  4. #4


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,475
    Thank Post
    866
    Thanked 850 Times in 672 Posts
    Rep Power
    196
    FWIW, this feature will be in Guardian08 feature-pack1, we believe it will do a lot to alleviate https circumvention proxies.

  5. #5
    steve's Avatar
    Join Date
    Oct 2005
    Location
    West Yorkshire
    Posts
    1,043
    Thank Post
    22
    Thanked 177 Times in 123 Posts
    Rep Power
    52
    Quote Originally Posted by tom_newton View Post
    FWIW, this feature will be in Guardian08 feature-pack1, we believe it will do a lot to alleviate https circumvention proxies.
    Nice to hear, I'm going to upgrade Schools Guardian 2008 in the next couple of weeks

    Any ETA for SP1?

  6. #6

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,804
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224
    Quote Originally Posted by pete View Post
    just looking at it now - are you using it Geoff?
    No, but planning to.

  7. #7


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,475
    Thank Post
    866
    Thanked 850 Times in 672 Posts
    Rep Power
    196
    Quote Originally Posted by steve View Post
    Nice to hear, I'm going to upgrade Schools Guardian 2008 in the next couple of weeks

    Any ETA for SP1?
    It should be out in late June, early July, all things being equal, with the general aim to get a release before you lot go on yer summer hols. There should be a couple of interesting new bits in there... new reports, some new controls in guardian... user delegated reporting.. hmm, best go poke the dev team with something sharp

  8. #8


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,649
    Thank Post
    275
    Thanked 780 Times in 607 Posts
    Rep Power
    224

    Thread resurrection, since it may be useful to others

    Just a quick note to say I've got ufdbguard working and it's rather good. I'm using it in conjunction with dansguardian as a means to block invalid ssl certs and identify ssl proxy tunnels.

    Example results:
    Code:
    2008-08-04 13:45:01 [10722] SSL certificate common name `localhost.localdomain' doesn't match hostname `www.magnetmice.com' *****
    2008-08-04 13:45:02 [10722] BLOCK - IPADDRESS allSystems security www.magnetmice.com:443 -
    2008-08-04 13:45:07 [10722] BLOCK - IPADDRESS allSystems security www.magnetmice.com:443 -
    2008-08-04 13:45:15 [10722] SSL certificate for thornfruit.com: unrecognised issuer
    2008-08-04 13:45:15 [10722]    issuer: /C=Y1/ST=6Asx5bsLCQ/L=Aj8zmKQJ7f/O=mz7lirB8PgDrbbCTdKiX/OU=50FfS/CN=ygd3gIDRiOV/emailAddress=yUoU1vvP@uL3cMg.com *****
    2008-08-04 13:45:15 [10722]    this issuer is not a recognised certificate authority
    2008-08-04 13:45:15 [10722] SSL certificate common name `rwGR9ZhA2i4y' doesn't match hostname `thornfruit.com' *****
    2008-08-04 13:45:28 [10722] BLOCK - IPADDRESS allSystems security thornfruit.com:443 -
    Tip: to give it a list of valid trusted SSL certs/CAs, copy (or symlink) /etc/ssl/cert/ca-certificates.crt to $ufdbinstalldir/blacklists/security/cacerts.

    *waits to see how many curriculum web-based apps use dodgy certs*

SHARE:
+ Post New Thread

Similar Threads

  1. MSDE the instance name specified is invalid
    By timbo343 in forum Windows
    Replies: 8
    Last Post: 30th September 2010, 05:10 AM
  2. Replies: 3
    Last Post: 3rd June 2008, 10:27 AM
  3. Invalid Chart/FX Licence
    By beeswax in forum ICT KS3 SATS Tests
    Replies: 0
    Last Post: 2nd March 2007, 10:23 AM
  4. digit certs
    By ptrainor1 in forum Windows
    Replies: 2
    Last Post: 17th March 2006, 10:00 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •