Search squid archive

Re: Transparent proxy with Peek and Splice feature.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Yeap, squid perfectly "splice" the destination domain after step1 or step2 or step3 when the browser is set to use proxy directly. But, it does not work in case of transparent proxy. Squid uses the destination IP address instead of SNI details. 

The example of using client IP address is below:
2014/11/27 01:15:22.851| DomainData.cc(110) match: aclMatchDomainList: '212.42.77.232' NOT found 

Thank you guys.


11/29/2014 6:17 AM, Amos Jeffries написав(ла):

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 28/11/2014 2:48 a.m., Vadim Rogoziansky wrote:

Hello Amos.

Thank you for answer.

There was made an investigation related to squid's peek and splice
issues in transparent mode. One-line explanation is as follows - in
intercept mode squid can't get a server host name from the request
header and uses clent IP address instead for both fake cert
generation and as a SNI record in server bump SSL handshaking. This
is the root of the problem. However this can be fixed if squid uses
SNI field taken from client TLS Hello message for that purposes.
Can you hack squid in this way? What do you think?

I think peek-n-splice is supposed to already be doing that.

However it does depend on whether you are bumping the connection at
step 1 (before ClientHello), step 2 (after ClientHello, before
ServerHello), or step 3 (after both ClientHello and ServerHello) of
the TLS handshake whether the SNI details are present.

Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUeUjPAAoJELJo5wb/XPRj6QEIAOHrR8wmDcjkfgUh2UtPwpHP
vVkPMEuIrUq9Gxx3uSojCZjlFJPuCQ2UafS1p8LuxcEQ+TRmUFbAu4AkKoO2RoZ5
7fCGoiXTwn4TzFf0pLh9SPBq9j12OJ3uT28EEqbILrT0sbKP02xK/qiJfCLR61Ev
vprAdggapbKg/ns1l1H3BBgZR2A4W/abQPIq6/Eu/r+7nYK6L2oOdqPDWTJjudMV
8D9sdOD9mYYryrdptU0GLh9Q/V5QEhipSkuA936iZ0Dfa2ZSr4gphJyaRAFWSMf3
q502lZy+ASkDa2vAbjALRBgn3VwYWl8KBQcypUKF4UXtaLtF0EIrLMun+p4QxUM=
=44aG
-----END PGP SIGNATURE-----
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux