-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 4/11/2014 1:39 a.m., James Lay wrote: > On Mon, 2014-11-03 at 17:22 +1300, Amos Jeffries wrote: >> On 3/11/2014 11:12 a.m., James Lay wrote: >>> A weird question....I guess I need to find out exactly what >>> I'm wanting before going further with trying to get peek to >>> work. So here's a small example of what I currently have. >>> From my .conf file: >>> >>> acl broken_sites dst 23.192.0.0/11 http_access allow >>> broken_sites ssl_bump splice broken_sites >>> >>> logformat common %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs >>> %<st %Ss:% Sh %ssl::>cert_subject >>> >>> This currently works (no cert_subject though)...log entry >>> shown: >>> >>> Nov 2 14:23:24 gateway (squid-1): 192.168.1.102 - - >>> [02/Nov/2014:14:23:24 -0700] "CONNECT 23.211.233.155:443 >>> HTTP/1.1" 200 4229 TCP_TUNNEL:ORIGINAL_DST - >> >> The TCP_TUNNEL tag shows that no bumping was done. Thus no >> details from inside the TLS transaction are available. >> >> "ssl_bump splice" means the same as "ssl_bump none" ... use the >> non-bumped CONNECT handling. >> >> >>> >>> Now this is required as the above will not function if bumped. >>> >>> At work, we use a commercial proxy which we do not use any ssl >>> inspection. These connections show up as, for example: >>> >>> tcp://www.whateversite.com TCP_DENIED >>> >>> And that's what I'm hoping to achieve here...determine what >>> the site is, and allow or denied it, without having to actually >>> do any SSL inspection. Will peek/stare accomplish this? Or am >>> I restricted to bump/inspection only, which for a fair amount >>> of sites (facebook, instagram, google mail, etc) does not >>> work. Thanks all...I appreciate any advice. >> >> That depends on how you define "SSL inspection". If the TLS >> details are not inspected with peek - then the details you want >> will not be available. You can see that in the above example. >> >> The ssl_bump access controls are now tested repeatedly in a >> series of "steps" with the first matching action which is valid >> at the step being performed. So I suspect the only working >> configurations will use the at_step ACL type to restrict where >> the rest of the tests will be performed. >> >> If you look at the documentation for that ACL it shows the steps >> are only before/after the client and server Hello messages. >> >> I think you want to peek at step SslBump1 and splice at step >> SslBump3. Or maybe peek at step 1 and 2 then splice at 3. >> >> Amos _______________________________________________ squid-users >> mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx >> http://lists.squid-cache.org/listinfo/squid-users > > Thanks Amos.....looks like peek/splice is where this is going, so > I'll continue this new information of at_step acl in my other > thread. It seems Christos has chimed in on the other thread. He is the ssl-bump author, so take whatever he says as basis. Amos -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUV3t0AAoJELJo5wb/XPRjQSgH/R/aeir6MVXtF1IRbu6TxkAN Yl6N3e8rLWXaXrFup22tvu9/sjynqaQdblSbO+VZEU84t49Pc5z2CSFW3mdFzOlF JSDXV+LyPjgmux8muOfbjq/cfxzfGTRNjLfzJLQEV8XoYaFYGzB4VUvy4HeoYk9Q 5s/Gv+7/jyy9zdp+3hcfEWp04X2AMnDvZNcSzbKb7oC/ztEnAF0kysdwtXKDigO/ S2TgIHxg2iXX9SRcgj6SnCOOVtyqsFYBTH2AhFMfScUAIgVUvr7chU6gxWOeAJVV h9rCvm8wqF42UHNNg/abmIurUvkTFaUxMM3OeYi/oaWInjBR+fN/2e15WtL5X8U= =Q4Mo -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
