[squid-users] EV check script for domains

[Amos Jeffries]

Nice.

FYI, this script doing its own certificate lookup risks reaching a 
server providing a different server-cert than the one Squid connects to. 
Same problem as seen when allowing clients based on future dst-IPs.

IMO this would be a good reason for adding a "server_cert" ACL type, to 
match server certificate attributes like the existing "user_cert" type 
does for client certs. It needs to be the "fast"/synchronous type of ACL 
to be used by ssl_bump access control.

Cheers
Amos


On 11/02/2026 09:03, NgTech LTD wrote:
> Hey,
> 
> I have been wondering to what websites we can disable tls inspection 
> automatically.
> There are sites like banks which has EV certificates.
> It's pretty easy to just allow these sites to not be bumped by squid or 
> any other DPI systems.
> In the past I had an issue with couple appliances which implement DPI 
> and TLS inspection.
> All of them automatically inspect banks and many other sites without any 
> way other then
> manually adding specific domains or ip addresses to the exceptions list.
> I have the next example script in python:
> ```
> import ssl
> import socket
> from cryptography import x509
> 
> def analyze_site_security(hostname):
>      # 1. Define the standard EV OID
>      EV_OID = "2.23.140.1.1"
> 
>      context = ssl.create_default_context()
>      try:
>          with socket.create_connection((hostname, 443), timeout=5) as sock:
>              with context.wrap_socket(sock, server_hostname=hostname) as 
> ssock:
>                  # Get the binary certificate
>                  bin_cert = ssock.getpeercert(binary_form=True)
>                  cert = x509.load_der_x509_certificate(bin_cert)
> 
>                  # Extract Organization and Policy OIDs
>                  subject = cert.subject
>                  org_name = next((attr.value for attr in subject if 
> attr.oid.dotted_string == "2.5.4.10"), "N/A")
> 
>                  # Check for EV OIDs in extensions
>                  is_ev = False
>                  try:
>                      policies = 
> cert.extensions.get_extension_for_oid(x509.oid.ExtensionOID.CERTIFICATE_POLICIES)
>                      for policy in policies.value:
>                          if policy.policy_identifier.dotted_string == 
> EV_OID:
>                              is_ev = True
>                  except:
>                      pass
> 
>                  return {
>                      "site": hostname,
>                      "is_ev_certified": is_ev,
>                      "organization": org_name,
>                      "tls_version": ssock.version(),
>                      "likely_pci_entity": is_ev and (ssock.version() in 
> ['TLSv1.2', 'TLSv1.3'])
>                  }
>      except Exception as e:
>          return {"error": str(e)}
> 
> # Testing it out
> print(analyze_site_security("www.paypal.com <http://www.paypal.com>"))
> print(analyze_site_security("www.google.com <http://www.google.com>"))
> ```
> 
> It can be converted and modify a bit to be an external_acl helper or 
> external service that will get couple details on the connection like ip 
> address+port+domain and will just trigger a tls inspection bypass for 
> the relevant sites automatically.
> 
> I hope it helps anyone.
> 
> Eliezer
> ----
> אליעזר קרויטורו
> תמיכה טכנית, משיב הרוח ומוריד הגשם
> נייד: 052-8704261
> מייל: ngtech1ltd at gmail.com <mailto:ngtech1ltd at gmail.com>
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users