Blocking invalid ssl certs with Squid
We have the usual proxy avoidance problems - the http ones can be blocked via regular expressions, and the http redirector for the https one can also be blocked by regular expression. This leaves direction connections to https:// site to be blocked when the logs are parsed.
I wondered if there's a way to block based on an unsigned/self-signed ssl certificate, but I'm unsure how to go about it and I found ufdbGuard at http://www.urlfilterdb.com which says it can check for invalid ssl certs.
Has anyone else found ways to detect this?
So far I can check if a certificate has expired by using http://prefetch.net/articles/checkcertificate.html
I'm thinking of something like:
User requests ssl_site -> squid/dansguardian sees request and issues its own request to ssl_site, openssl checks that certificate is trusted and user request is either processed or denied. Checked and ok sites could be cached for "X" amount of time.
I just haven't worked out the mechanics or the overhead this would place on each request.
Thread resurrection, since it may be useful to others
Just a quick note to say I've got ufdbguard working and it's rather good. I'm using it in conjunction with dansguardian as a means to block invalid ssl certs and identify ssl proxy tunnels.
Tip: to give it a list of valid trusted SSL certs/CAs, copy (or symlink) /etc/ssl/cert/ca-certificates.crt to $ufdbinstalldir/blacklists/security/cacerts.
2008-08-04 13:45:01  SSL certificate common name `localhost.localdomain' doesn't match hostname `www.magnetmice.com' *****
2008-08-04 13:45:02  BLOCK - IPADDRESS allSystems security www.magnetmice.com:443 -
2008-08-04 13:45:07  BLOCK - IPADDRESS allSystems security www.magnetmice.com:443 -
2008-08-04 13:45:15  SSL certificate for thornfruit.com: unrecognised issuer
2008-08-04 13:45:15  issuer: /C=Y1/ST=6Asx5bsLCQ/L=Aj8zmKQJ7f/O=mz7lirB8PgDrbbCTdKiX/OU=50FfS/CN=ygd3gIDRiOV/emailAddress=yUoU1vvP@uL3cMg.com *****
2008-08-04 13:45:15  this issuer is not a recognised certificate authority
2008-08-04 13:45:15  SSL certificate common name `rwGR9ZhA2i4y' doesn't match hostname `thornfruit.com' *****
2008-08-04 13:45:28  BLOCK - IPADDRESS allSystems security thornfruit.com:443 -
*waits to see how many curriculum web-based apps use dodgy certs*