Yeah I know that, but there are issues with invoking peek: like the host forgery checks suddenly kick in, and squid starts seeing SSL errors (probably due to CentOS6 not supporting the newest standards that Chrome uses) and then squid starts blocking things. That's why I'm sticking to this simplest case for the moment and avoid the "peek" call
Thanks!
Jason
On Mon, Mar 21, 2016 at 8:53 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
On 21/03/2016 10:29 a.m., Jason Haar wrote:
> Hi there
>
> I'm wanting to use tls intercept to just log (well OK, and potentially
> block) HTTPS sites based on hostnames (from SNI), but have had problems
> even in peek-and-splice mode. So I'm willing to compromise and instead just
> intercept that traffic, log it, block on IP addresses if need be, and don't
> use ssl-bump beyond that.
>
> So far the following seems to work perfectly, can someone confirm this is
> "supported" - ie that I'm not relying on some bug that might get fixed
> later? ;-)
>
It is supporteed.
> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 256MB
> sslcrtd_children 32 startup=15 idle=5
> acl SSL_https port 443
> ssl_bump splice SSL_https
> acl BlacklistedHTTPSsites dstdomain
> "/etc/squid/acl-BlacklistedHTTPSsites.txt"
> http_access deny BlacklistedHTTPSsites
>
> The "bug" comment comes down to how acl seems to work. I half-expected the
> above not to work - but it does. It would appear squid will treat an
> intercept's dst IP as the "dns name" as that's all it's got - so
> "dstdomain" works fine for both CONNECT and intercept IFF the acl contains
> IP addresses
This is because the ssl_bump rules are saying to splice immediately when
only the pseudo-CONNECT with an IP address is known.
If you use this:
ssl_bump peek all
ssl_bump splice all
it will peek at the client SNI and server public cert details before
dropping back to a transparent pass-tru. Then it will have that domain
and any other non-encrypted details available for logging.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
