Search squid archive

Re: about sni

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 16/02/2016 12:46 p.m., HackXBack wrote:
> What are the requirements for ssl::server_name to work with SNI (squid
> 3.5.12) ?
> 
> In principle, I want to do this (from squid.conf):
> ....
> # get the public TLS metadata (includes SNI)
>  ssl_bump peek all
> 

This will peek at both step 1 and 2.

>  # block based on SNI matching
>  acl blocked ssl::server_name .example.com
>  ssl_bump terminate blocked
> 

This is only reached at step 3. Which means it will happen based on
server cert matchign (*NOT SNI*). Also, terminate seems to require
similar operations to bump, so after the step 2 peek it may not work
reliably.


>  # tunnel (no decrypting) for everything else
>  ssl_bump splice all
> .....
> 
> Few questions regarding the pre-requisites for this to work:
> - It should not be necessary to install squids cert in the client, correct ?

Correct. SNI has nothing to do with whether the client trusts *Squids*
certificate.

> - squid.conf: Anything missing in next line (cert for squid ) ?
>         http_port 3129 intercept ssl-bump

The cert= settings are still required here, that is just to get ssl-bump
operating.

> - Anything else required ? 
> 

* The client is required to send SNI.

* Squid peek or stare action is required to be configured at step 1 of
ssl_bump processing.

That is all.

Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux