Use additional details in SAN field to build ACLs

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Use additional details in SAN field to build ACLs

Ahmad, Sarfaraz

Hi,

 

Can I leverage other information available in a server certificates’s SAN field to build my ACLs ?

Here’s a sample from the SAN field ,

DNS Name=abc.example.com

IP Address=10.0.97.72

 

I haven’t tried it but would using ssl::server_name_regex work to match IP=10.0.97.* work?

Also I couldn’t find a way to capture ssl::server_name (that Squid builds as described in the “acl” directive doc) in the logs. Logformat directive has only some bits of ssl information.

 

Regards,

Sarfaraz


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Use additional details in SAN field to build ACLs

Alex Rousskov
On 06/18/2018 09:36 PM, Ahmad, Sarfaraz wrote:

> Can I leverage other information available in a server certificates’s
> SAN field to build my ACLs ?

Unfortunately, Squid does not have ACLs that can match non-dNSName[1]
parts of the Subject Alternative Name extension.

[1] https://tools.ietf.org/html/rfc5280#section-4.2.1.6


> I haven’t tried it but would using ssl::server_name_regex work to match
> IP=10.0.97.* work?

No, it should not work. When looking at SAN, Squid only looks at dNSName.


> Also I couldn’t find a way to capture ssl::server_name (that Squid
> builds as described in the “acl” directive doc) in the logs. Logformat
> directive has only some bits of ssl information.

Squid does not have a logformat %code that would always contain the same
name as the one examined by the ssl::server_name ACL. Moreover, since
ssl::server_name ACL examines different names (depending on the
evaluation timing/context), logging a single value at the end of the
transaction would not tell you what ssl::server_name ACL was dealing with.

Needless to say, it is possible to modify Squid to add ACL(s) that would
interrogate other SAN names and logformat %codes that would log SAN
dNSName and other server certificate details. Same for logging the
equivalent of the final ssl::server_name is also possible.

https://wiki.squid-cache.org/SquidFaq/AboutSquid#How_to_add_a_new_Squid_feature.2C_enhance.2C_of_fix_something.3F

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users