On 9/05/2016 10:05 p.m., Cohen-Rose, Adam wrote: > Hi there, > > We¹re running squid with SSL bump as a transparent proxy in order to > control access to particular SSL sites. > > We¹ve noticed an issue with access to facebook from within the facebook > app -- specifically it can get through the proxy even though it is *not* > listed as a domain to splice. Accessing the facebook site from a web > browser is blocked as expected. > > Looking at packets in Wireshark, the app traffic that gets through seems > to use a different style of SSL handshake from the web traffic as follows: > > App traffic: >> client hello > < server hello, change cipher spec > - change cipher spec message: this session reuses previously negotiated > keys (session resumption) > < encrypted handshake message >> change cipher spec, encrypted handshake message, application data >> application data > > > Web traffic: >> client hello > < server hello > < certificate > < server key exchange >> client key exchange >> change cipher spec >> encryped handshake message > < new session ticket, change cipher spec, encrypted handshake message >> application data > > > > I suspect this may be the same or a similar issue referred to in the > 3.5.19 release changes (TLS: Fix SSL alert message and session resume > handling) -- would someone please confirm or deny? > Not sure enough to answer that Q sorry. But if you are bumping at all you should upgrade anyway. The problem(s) that it fixes are relatively common even if they are not the specific one you noticed. > And if we were to upgrade to 3.5.19, is the build on Centos 6 a relatively > easy one? We¹ve been using Eliezer Croitoru¹s builds so far, but I don¹t > think he¹s had time to make the latest build yet! He should be doing it real soon now, if not already done and just testing to make sure it works okay. > > For reference, the relevant parts of our squid configuration are as > follows: > > https_port {squid-ip}:443 cert=/path/to/cert key=/path/to/key > sslflags=NO_DEFAULT_CA intercept ssl-bump FYI: "intercept ssl-bump" should be the first options on the line after the port. It doesn't matter in 3.x, but will in the future versions as the mode determines how the following cert/key options are interpreted and ssl-bump determines what type of properties the cert requires. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users