> -----Mensaje original----- > De: Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> > Enviado el: domingo, 12 de agosto de 2018 20:50 > Para: Julian Perconti <vh1988@xxxxxxxxxxxx>; squid-users@lists.squid- > cache.org > Asunto: Re: About SSL peek-n-splice/bump configurations > > On 08/12/2018 04:09 PM, Julian Perconti wrote: > > > I would like to know which of these two cfg's are "better" or "more secure" > > when a site/domain is spliced, bumped, etc. > > It is impossible to answer that question without knowing how _you_ define > "better" or "more secure". First of all: I am relative new in the "ssl/tls filtering world". There are many things I dont understand very well yet. You might be right and I probably wrong. I tried to meant, "security" from the client-side accessing to a non-bumped or spliced site, i.g.: bank website... client-side "privacy" or an a -real- man-in-the-middle attack due to squid in the middle. Is well-known that there is no system /network/o.s. 100% secure but, I dont know why, I always thought or stil think that with a https proxy/filtering, the security or "the things" tooggles more risky if this one did not exist. Even squid 100% correctly configured and server well secured. > > > > acl noBumpSites ssl::server_name_regex -i "/etc/squid/url.nobump" > > > # ssl_bump option 1: (with this I don't see the domain in "TUNNEL" > > line, just the IP addr.) > > > > ssl_bump peek step1 > > ssl_bump peek step2 noBumpSites > > ssl_bump splice step3 noBumpSites > > ssl_bump stare step2 > > ssl_bump bump step3 > > > > # ssl_bump option 2: (with this I see the domain in "TUNNEL" line.) > > > > ssl_bump peek step1 > > ssl_bump splice noBumpSites > > ssl_bump bump all > > > > > > And (if possible) could anyone explain the differnce between these 2 cfg's > ? > > Bugs notwithstanding, Option 1 looks at the TLS server Hello details > (step2) before splicing or bumping the connections (at step3). Option 2 does > not -- it splices or bumps based on TLS client Hello info only. > What does squid when I dont specify the step? For example: What does squid do with..: ssl_bump splice step3 noBumpSites ...And what it do instead with this?: ssl_bump splice noBumpSites > Option 1 should give Squid/you more information about the server when > splicing the two connections. For example, you can use server certificate info > during step3 and when logging. > > Option 1 should give the client more information about the server when > bumping the client -- the client will get a mimicked server certificate detail > with this option. > > I believe the information obtained at each step is documented at > https://wiki.squid-cache.org/Features/SslPeekAndSplice Yes, but many things are pretty complex to understand well, even making tests. > > Please note that your > > ssl_bump splice step3 noBumpSites > > is a bit risky because your noBumpSites may match differently on each step > (as it gets more reliable information). It could match at step2 but not match > at step3 or vice versa, but the decision to splice (or bump) is essentially made > at step2 -- if you peeked at step2, then you should be splicing or terminating > at step3 (and if you stared at step2, then you should be bumping or > terminating at step3). Your rules may not follow that principle if noBumpSites > matching changes. I Will consider this. So, Would You prefer option 2? For now, I am testing that option. > > > > with Option 1 I don't see the domain in "TUNNEL" line, just the IP > > addr.) > > I doubt that is how it is supposed to work. When splicing, Option 1 should > have the same or more information so it should log the domain name if > Option 2 has the domain name. If you are comparing log lines for identical > transactions, then this could be a Squid bug. > I dont know, I just tell what happen in the access.log when I switching between these ssl_bump configs. > Alex. Thank You P.S.: squid versión 4.2 on debian 9.5 _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
