Hello Amos.
Thank you for answer.
There was made an investigation related to squid's peek and splice
issues in transparent mode.
One-line explanation is as follows - in intercept mode squid can't get a
server host name from the request header and uses clent IP address
instead for both fake cert generation and as a SNI record in server bump
SSL handshaking. This is the root of the problem. However this can be
fixed if squid uses SNI field taken from client TLS Hello message for
that purposes. Can you hack squid in this way? What do you think?
Many thanks.
11/26/2014 11:33 AM, Amos Jeffries написав(ла):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 26/11/2014 7:22 a.m., Vadim Rogoziansky wrote:
Hello All.
My goal is to do ssl bumping in transparent proxy mode with domain
exclude possibility. Let me tell you about squid's strange
behaviour when I'm trying to do it.
In browsers it says something like this: /This server could not
prove that it is www.ukr.net; its security certificate is
from212.42.76.253. This may be caused by a misconfiguration or an
attacker intercepting your connection.//
//NET::ERR_CERT_COMMON_NAME_INVALID// //Subject: 212.42.76.253// /
Looks like squid takes the CN from the certificate as IP address of
the destination domain.
Squid takes the IP address from the TCP packet. Which is all that is
available in NAT intercepted traffic at bumping step #1.
The ACLs you have therefore determine that "bump" action is to happen.
Correct?
The cert details are therefore mimic'ed from what gets delivered by
the server.
It may be that the server is depending on SNI to generate its own
cert, but since Squid deos not have that domain name already an
IP-based cert comes back.
It may also be that some ISP upstream of you is bumping the encryption
with client-first method.
But, everything works smoothly when I use proxy in non transparent
mode and put it to the browser directly .
In which case the browser sends domain name to the proxy in its
CONNECT message starting the HTTPS. The possible results are very
different.
Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iQEcBAEBAgAGBQJUdZ5sAAoJELJo5wb/XPRj0qIIANBjuFvq45hPmcaj/NYL6bza
7ttt5Gn+tn8E5KH7T4wfQhUXr91UIsYWfOswfnVAAlBevIO/iFVoDN5hAOveuhIl
ra/0eGti1EpZ3LHJiAqmo0mHsrz3v9+PAduVrXgUJLyYDiM0xctg0nRhj2u166VX
j0IL3g8CKEw+KiWVJM9HdLaDEz9fYtHBO8UHhKDDE94O9yxScIvB+GAhN4YlTtrE
z65VJkSCEw+3vH6XcrrkF2aEnB20jeEGiV5puO2cPoJpgcg3ic8sMVEfa/Z1qwqa
KCkj2XI28wBCIovCV+AfBhpvW0o8eVFbt4ESodLTmwjUvU+m8zxky/9cjO5kyLE=
=kgug
-----END PGP SIGNATURE-----
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users