Search squid archive

Re: 3.5.8 — SSL Bump questions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2015-09-08 01:54 PM, Alex Rousskov wrote:
On 09/07/2015 11:36 PM, Dan Charlesworth wrote:
First, here’s my config (shout out to James Lay):

acl client_hello_peeked at_step SslBump2
ssl_bump splice client_hello_peeked bump_bypass_domains
ssl_bump bump client_hello_peeked

Just in case somebody tries to copy this:

AFAICT, in Squid v3.5.8, the above config does not make sense. Since
client_hello_peeked does not match during step1, no ssl_bump rules will
patch during step1, and so the above is equivalent to:

  ssl_bump splice !all
  ssl_bump bump !all

which, in turn, should be equivalent to:

  ssl_bump splice all

because "splice" is the default ssl_bump action unless Squid has been
"staring". That, in turn, should be nearly equivalent to not using
SslBump at all. There are some side effects related to the
always-performed SslBump step1 actions that you may observe, but I doubt
you were after those side effects.

Alex.

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

I recall that in testing something similar was proposed, but it did not function as intended, but that was....gosh I'm not sure how many revs back. I'm currently having great success with 3.5.8 and this peek/splice only method using transparent intercept:

###############################
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

ssl_bump peek step1 all
ssl_bump peek step2 all
acl allowed_https_sites ssl::server_name_regex "/opt/etc/squid/http_url.txt"
ssl_bump splice step3 allowed_https_sites
ssl_bump terminate all
###############################

I didn't really have a reason to actually bump and decrypt, just to allow/disallow. I still see peek only (http://bugs.squid-cache.org/show_bug.cgi?id=4256) in the logs for both successfully spliced and terminated sessions, but eh...I know it's working otherwise I'd have unhappy children :D

James
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux