-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/12/2014 10:31 p.m., Yu-Hsuan Liao wrote: > Hello everyone, > > I'm trying to using Squid 3.5's new feature peek-and-splice to > bypass Skype connection I'm a little confused about ssl_bump > steps, the wiki says that > > peek Receive client (step SslBump1) or server (step SslBump2) > certificate while preserving the possibility of splicing the > connection. > > My question is: does ssl_bump make decision to bump or splice > connection when Squid gets the ServerHello message? > > cos I found that Skype voice connection is first > a) ssl_bump called (step 1) to decide what to do with no info but TCP packet details available. > 1. client send Client Hello b) ssl_bump called again (step 2) to decide what to do with only client and TCP details available. > 2. server send Server Hello c) ssl_bump called again (step 3) to decide what to do with all client, server and TCP details available. > > then began the skype data payload transmit(non-SSL format, not the > rest SSL handshake) > > so that I still got the "Error negotiating SSL connection on FD" > message in cache.log > > Does peek-and-splice function cover above situation, or I just > misunderstand the usage of ssl_bump peek? > Not if you nee dto wait for the Skype payload before deciding what to do during the bumping process. If the TLS hello from either end included ALPN or a useful SNI value they might be used to determine a step during bumping. Though I dont think Squid acts on ALPN values yet. > my squid ver. is 3.5.0.3 > > squid.config setting is > > acl skype_list dstdomain "skype_list" ssl_bump peek skype_list > ssl_bump stare all > Only if "skype_list" matches the TCP packet IP address (without rDNS being looked up) will the peek happen. I think you need to add at_step ACL test to peek always at step1, then do the other actions at step2 once SNI (domain name) is possibly available. Amos -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUisKqAAoJELJo5wb/XPRjNasIAOKpSpii9cuB1u3khGuADMKF QQpyWrPYoJ4jG1HZRYz+w4SEkRYyDVqv16FA8o6/Pgbxknie/GRgqAdUAxF8iTAk t96kDd9O8Futr/67iK/a7ry3ejW+IA4siJuZIpTl1FGx1Ku8W1I1lEOdjcJIJRSe NfPmVc/ok6v9sKXmoTbbcMoG5YzBLE+g/LM5HQywMmTs0FMzrtgrfd6OTU+phV+Z dkDGYo2pcKWjYuT+KXP3jw6Z37rENH4GxpKKHWXuzV3tvSpc30ACBxZ3Lk8N5417 1G9IcmDJoPoz7JBQMH+CVgtCMBJaEhtcodZkzCxvSejacMewu5N1oDKbRtaCGaM= =D4zK -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
