Re: ssl_bump and SNI

Nathan Hoad <nathan@xxxxxxxxxxxxxxxx> · Mon, 1 Jun 2015 12:12:33 +1000

Hello,

Here are some excerpts of what I've used, and an example Python helper:

https_port 60099 intercept ssl-bump tcpkeepalive
cert=/path/to/cert.pem key=/path/to/key.pem options=NO_SSLv2,NO_SSLv3
generate-host-certificates=on

external_acl_type sni ttl=30 concurrency=X children-max=Y
children-startup=Z %ssl::>sni /path/to/your/helper

acl sni_exclusions external sni
acl tcp_level at_step SslBump1
acl client_hello_peeked at_step SslBump2

ssl_bump peek tcp_level all
ssl_bump splice client_hello_peeked sni_exclusions
ssl_bump bump all

Helper:

import sys

line = sys.stdin.read()

# run loop until an empty read, which indicates the process should shut down.
while line:
    concurrency_id, sni = line.split()

    if sni == 'wellsfargo.com':
        sys.stdout.write('%s OK\n' % concurrency_id)
    else:
        sys.stdout.write('%s ERR\n' % concurrency_id)

    line = sys.stdin.read()

Hope that helps,

Nathan.

On 30 May 2015 at 01:14, James Lay <jlay@xxxxxxxxxxxxxxxxxxx> wrote:
> On 2015-05-29 08:57 AM, Nathan Hoad wrote:
>>
>> Yes, I have it working on about a dozen deployments so far, using an
>> external ACL to make bumping decisions based on the SNI server name
>> and a few other things. No complaints from me, it Just Works.
>> On 29/05/2015 5:50 pm, "sp_" <apani@xxxxxxxxx> wrote:
>>
>>> Hello,
>>>
>>> does anyone have the working squid 3.5 with intercept + https?
>>> I've googled a lot, but seems there is no any positive experience
>>> with it.
>>>
>>> --
>>> View this message in context:
>>>
>>
>> http://squid-web-proxy-cache.1019090.n4.nabble.com/ssl-bump-and-SNI-tp4670207p4671432.html
>>>
>>> [1]
>>> Sent from the Squid - Users mailing list archive at Nabble.com.
>>> _______________________________________________
>>> squid-users mailing list
>>> squid-users@xxxxxxxxxxxxxxxxxxxxx
>>> http://lists.squid-cache.org/listinfo/squid-users [2]
>>
>>
>>
>> Links:
>> ------
>> [1]
>>
>> http://squid-web-proxy-cache.1019090.n4.nabble.com/ssl-bump-and-SNI-tp4670207p4671432.html
>> [2] http://lists.squid-cache.org/listinfo/squid-users
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users@xxxxxxxxxxxxxxxxxxxxx
>> http://lists.squid-cache.org/listinfo/squid-users
>
>
> Nathan,
>
> Care to post your config and external helper?  I know I'd love to see
> concrete examples.  Thank you.
>
> James
>
> _______________________________________________
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users