Search squid archive

Re: Skype+intercept+ssl_bump

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 07/30/2016 04:21 PM, Alex Rousskov wrote:
*snip*


Update: The question still stands, but we now know more about what
happens if the on_unsupported_protocol bug (in code and/or
documentation, depending on how you look at it) discussed above is
fixed: Squid then starts tunneling traffic as it is told by the
on_unsupported_protocol directive, but forgets to use the existing
encrypted connection to the server and opens/uses a new Squid-to-server
unencrypted connection instead.

Thus, the patch I posted previously does not solve the known Skype
groups/MSNP problem -- it only exposes the next (and bigger!) obstacle
on the way to that solution.

We are working on supporting/fixing tunneling of bumped connections, but
feedback regarding request counting check question above is still welcomed.


Thank you,

Alex.


I am using squid-4.0.13-20160819-r14813 and have observed the following
with transparent intercept:
1) skype (on windows10) login fails, access.log contains
   "CNT error:invalid-request HTTP/1.1" 400 3705 NONE:HIER_NONE -
2) whatsapp (on Android) fails, access.log contains
   "NONE error:transaction-end-before-headers HTTP/0.0" 0 0 NONE:HIER_NONE -
   "' error:invalid-request HTTP/1.1" 400 3705 NONE:HIER_NONE -
3) Samsung (monitoring?) app on my Samsung smartphone:
   "CONNECT 54.76.6.24:80 HTTP/1.1" 403 3775 TCP_DENIED:HIER_NONE Host:%2054.76.6.24:80%0D%0A
   "NONE error:invalid-request HTTP/1.1" 400 3705 NONE:HIER_NONE -

TCP_DENIED in 3) is OK since the app connects on port 80 and this port is
not in SSL_ports, but the error message "invalid-request" on the next line
is misleading.

If you need a cache.log with debug ALL,9 I can provide one.

The ssl-bump rules on my server are:
acl tls_s1_connect at_step SslBump1
acl tls_to_splice complex-acl-but-does-not-matter-what-it-has
ssl_bump peek   tls_s1_connect
ssl_bump splice tls_to_splice
ssl_bump stare  all
ssl_bump bump   all

With best regards,

Marcus
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux