Search squid archive

Re: Working peek/splice no longer functioning on some sites

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sun, 2017-11-26 at 09:50 +0200, Alex K wrote:
Perhaps an alternative is to peek only on step1:

acl step1 at_step SslBump1

ssl_bump peek step1
acl allowed_https_sites ssl::server_name_regex "/opt/etc/squid/http_url.txt"
ssl_bump splice allowed_https_sites
ssl_bump terminate all

Hrmm...wouldn't that negate the ability to read the cert on step2?

In layman's terms I'm thinking:
"peek at step1"
"splice acl allow matched sni's"
"peek at step2"
"splice acl allow'd matched certs"
"terminate the rest"

Would that work Amos?


On Nov 25, 2017 14:46,
"James Lay" <jlay@xxxxxxxxxxxxxxxxxxx> wrote:
On Sun, 2017-11-26 at 01:33 +1300, Amos Jeffries wrote:
On 26/11/17 00:52, James Lay wrote:


On Sat, 2017-11-25 at 23:48 +1300, Amos Jeffries wrote:


On 25/11/17 08:30, James Lay wrote:


Topic says it...this setup has been working well for a long time, but 
now there are some sites that are failing the TLS handshake.  Here's 
my setup: acl localnet src 192.168.1.0/24 acl SSL_ports port 443 acl 
Safe_ports port 80 acl Safe_ports port 443 acl CONNECT method CONNECT 
acl allowed_http_sites url_regex "/opt/etc/squid/http_url.txt" 
http_access deny !Safe_ports http_access deny CONNECT !SSL_Ports 
http_access allow SSL_ports http_access allow allowed_http_sites 
http_access deny all ssl_bump peek all acl allowed_https_sites 
ssl::server_name_regex "/opt/etc/squid/http_url.txt" ssl_bump splice 
allowed_https_sites ssl_bump terminate all 





Because you have "peek all" being performed the transaction MUST pass
your regex patterns with both TLS SNI from the client *and* the server
certificate SubjectName values. Either one not matching will perform
that "terminate all" on the TLS handshake.




Thanks Amos...do you have a suggestion for changing this to match one or 
the other instead of both?



Doing the splice check before the peek should do that. First one of the 
server_names data sources to match will then splice and non-matches fall 
through to either peek or terminate if no more peeking possible.

Amos

Perfect..I've modded my lines with:

acl broken_https_sites ssl::server_name_regex "/opt/etc/squid/broken_url.txt"
ssl_bump splice broken_https_sites
ssl_bump peek all
acl allowed_https_sites ssl::server_name_regex "/opt/etc/squid/http_url.txt"
ssl_bump splice allowed_https_sites
ssl_bump terminate all

Hopefully that fixes these up.  Another site besides the the one this thread is fbcdn.net.  Again, these DID work, but something within the last month has changed...guessing Facebook and Elder Scrolls Online have added additional TLS security.  Thanks as always Amos.

James

_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux