----- Original Message ----- > From: Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> > To: "squid-users@xxxxxxxxxxxxxxx" <squid-users@xxxxxxxxxxxxxxx> > Cc: > Sent: Wednesday, 6 March 2013 6:20 AM > Subject: Re: Bypassing SSL Bump for dstdomain > > On 03/04/2013 10:11 PM, Amm wrote: > >>> # Let user specify domains to avoid decrypting, such as internet > banking >>> acl bump-bypass dstdomain .commbank.com.au >>> ssl_bump none bump-bypass >>> ssl_bump server-first all > > >> This will not work for intercepting traffic. Because domain is known >> only after SSL connection is established. So certificate stage etc >> has already passed. > > It will work but only if the reverse DNS lookup for the intercepted IP > address works: ssl_bump supports slow ACLs, and dstdomain is a slow ACL > if given an IP address. As per http://www.squid-cache.org/Doc/config/acl/ ; its a fast ACL. acl aclname dstdomain .foo.com ... # Destination server from URL [fast] Also depending on reverse lookup for bypassing ssl_bump is can be insecure w.r.t. policy. Rare but still somewhat insecure. >> I am also assuming that squid checks IP based ACLs for ssl_bump >> before establishing connection with client. > > Squid checks all ssl_bump ACLs before establishing a TCP connection with > the server. The TCP connection from the client is already accepted (or > intercepted) by the time ssl_bump ACL is checked. What I would like to know is, does squid check ssl_bump ACL before starting SSL connection with client OR after? (for intercepting on https_port) Otherwise ssl_bump server-first OR none feature does not help much. Regards, Amm.
