OPNsense Forum
Archive => 17.1 Legacy Series => Topic started by: querli on July 14, 2017, 03:00:20 pm
-
Hallo all...
In Squid 3.5 it is possible to handle a TLS connection with splice all. In this case squid opens a TCP tunnel without decoding the connection. In squidguard (I know opnsense don't use squidguard) it is possible to block these connection with a blacklist (for example shallalist) like every html connection. If I tick Log SNI information only i can see in /usr/local/etc/squid/squid.conf that this is not the splice all action. Is there a way to block https connection without decoding the connection?
Thx.
-
Hi querly,
The option should set splice all:
https://github.com/opnsense/core/blob/master/src/opnsense/service/templates/OPNsense/Proxy/squid.conf#L70
It needs SSL bump and SNI options, also a valid certificate.
I am unaware of a problem in this area, so maybe the configuration simple needs a tweak to get it to work. :)
Cheers,
Franco
-
Thx franco for the fast answer.
The problem is, that I often receive cert errors from different sides (hsts). Yes I can put an entry in the SSL no bump sites ... but I don't want to know the content of the connection I only want to block entries form the blacklist even for https...
I' going to try this. If this works maybe it is possible to add this feature in the gui.
-
Ah, it may be a little different from what you expect, I am no expert here so that eludes me. :) A snippet for squid.conf that works would help to find out what your expectation is and how to get it into the GUI as an easy option.
Thanks,
Franco