On 20/08/15 03:36, Alex Rousskov wrote: > SNI is obtained during step #1. Peeking during step #1 does _not_ > preclude future bumping. thanks for persisting with me Alex - I got there in the end! :-) That looks a lot better, my config is now root# egrep -i 'crtd|bump|ssl:|checkIfHTTPS' squid.conf ssl-bump.inc|grep -v '#' squid.conf:http_port 3128 ssl-bump cert=/etc/squid/squidCA.cert generate-host-certificates=on dynamic_cert_mem_cache_size=256MB options=ALL squid.conf:https_port 3129 intercept ssl-bump cert=/etc/squid/squidCA.cert generate-host-certificates=on dynamic_cert_mem_cache_size=256MB options=ALL squid.conf:include /etc/squid/ssl-bump.inc squid.conf:logformat logdetails %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt %ssl::>sni %ssl::>cert_subject ssl-bump.inc:sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 256MB ssl-bump.inc:sslcrtd_children 32 startup=15 idle=5 ssl-bump.inc:acl DiscoverSNIHost at_step SslBump1 ssl-bump.inc:ssl_bump peek DiscoverSNIHost ssl-bump.inc:acl NoSNIpresent ssl::server_name_regex ".*" ssl-bump.inc:acl NoSSLIntercept ssl::server_name_regex -i "/etc/squid/acl-NoSSLIntercept.txt" ssl-bump.inc:external_acl_type checkIfHTTPS children-max=20 concurrency=20 negative_ttl=3600 ttl=3600 grace=90 %SRC %DST %PORT %ssl::>sni /usr/local/bin/confirm_https.pl ssl-bump.inc:acl is_ssl external checkIfHTTPS ####ssl-bump.inc:ssl_bump splice !NoSNIpresent ssl-bump.inc:ssl_bump splice NoSSLIntercept ssl-bump.inc:ssl_bump bump is_ssl So now I can: 1. ###dynamically whitelist/splice non-SNI traffic via it's existence (commented because it didn't work - ended up splicing everything) 2. statically whitelist/splice cert pinning apps via acl "NoSSLIntercept" 3. dynamically whitelist/splice some classes of websites (eg banks) by external process checkIfHTTPS 4. bump the rest Can't get that "###" one to work. How do I create an acl that will match when there's any SNI - so that I can splice anything that hasn't got it? The only remaining question I have is about SSL session resumption. If a *bumped* session uses resumption - that's purely a squid issue - so I suspect that would always work? (including intercept mode?). And if it's a spliced session, then all squid can do is allow it anyway (because in my config, I want to splice anything that hasn't got SNI) - so that would also work? > Please note that doing so will give you no knowledge about the SSL > server point of view. All your decisions will be based on what the > client has told you. This is often not a problem because, in most cases, > if the client lied, the [bumped or spliced] connection to the SSL server > will not work anyway. However, if the client supplied no SNI > information, then your "bank" ACL (or equivalent) may not have enough > information to go on, especially for intercepted connections. My only desire for doing TLS intercept is to introduce content filtering (ie AV). So I am quite happy throw away (ie splice) old SSL plus non-HTTPS sessions - as the primary target I'm after is people in web browsers downloading viruses from https://dropbox.com, etc (which aren't old SSL: a hacker who deliberately brings up a SSLv2 system in order to subvert my assumption is welcome to - try finding a web browser that will talk to it :-). People who bash their way through multiple layers of browser warning popups/etc in order to get infected are out of scope ;-) Thanks again for your help Alex. Hopefully this conversation will be useful for others. TLS intercept is a bit of a step up in complexity over standard TCP ;-) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
