Search squid archive

SSL Peek-n-Splice and exclusions by SNI

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi folks,

I'm playing with 3.5.2 and Peek-n-Splice, I was wondering if it's
actually possible to exclude requests based on the SNI host and have
Squid still bump correcty. I've been trying with this configuration,
using a simple external acl:

https_port 60443 intercept ssl-bump cert=/path/to/inspectcert.pem
key=/path/to/inspectkey.pem generate-host-certificates=on
external_acl_type sni ttl=30 concurrency=60 children-max=3
children-startup=1 %ssl::>sni /usr/libexec/bumphelper

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

acl sslbump_exclusions external sni

ssl_bump peek step1 all
ssl_bump splice step2 sslbump_exclusions
ssl_bump bump all

Where bumphelper is a very simple Python script:

while True:
    req = sys.stdin.readline()

    if not req:
        break

    id, sni = req.split()

    sys.stderr.write('request %r\n' % req)
    sys.stderr.flush()

    if sni == 'google.com':  # bypass
        sys.stdout.write('{} OK\n'.format(id))
        sys.stdout.flush()
    else:
        sys.stdout.write('{} ERR\n'.format(id))
        sys.stdout.flush()

The result I'm seeing is that requesting "https://youtube.com"; gets
inspected as it should, but "https://google.com"; results in a
handshake error, when it should have been bypassed, like so:

[~]# openssl s_client -connect google.com:443 -servername google.com
CONNECTED(00000003)
140086124283808:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 268 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

So what am I missing? It's very hard to find documentation about this,
so I might put this up on the wiki as an example once it's sorted.

Cheers,

Nathan.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users





[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux