On 7/09/18 1:48 PM, Julian Perconti wrote:> > Hi all, > > I have a new strange situation: > > With this peek-n-splice configuration: > > ssl_bump peek step1 all > ssl_bump peek step2 noBumpSites > ssl_bump splice step3 noBumpSites > ssl_bump bump So... (lets call this config A) #step1 does this: > ssl_bump peek step1 all #step2 does this: > ssl_bump peek step2 noBumpSites > ssl_bump bump If the bump at step2 happened, there is no step3. #step3 does this: > ssl_bump splice step3 noBumpSites > > I got this error on spliced sites (a bank site): > > The system return in the browser this error: (chrome 69): > > (104) Connection reset by peer (TLS code: SQUID_ERR_SSL_HANDSHAKE) > Handshake with SSL server failed: [No Error] > > This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials. > > cache.log: > 2018/09/06 22:40:36 kid1| ERROR: negotiating TLS on FD 44: error:00000000:lib(0):func(0):reason(0) (5/-1/104) > > But if i change the ssl bump(s) directive to: > > ssl_bump peek step1 > ssl_bump splice noBumpSites > ssl_bump bump all > So ... (lets call this config B) #step does this: > ssl_bump peek step1 #step2 does this: > ssl_bump splice noBumpSites > ssl_bump bump all Notice there is never any step3, and the splice in this ruleset happens at step2. So config (A) is trying to do a step3 (handshake with server) when it has only peek'ed and relayed the clientHello as-is (including any secret tokens an unknown features the client is trying to use). The bump action is bound to fail. ** "stare" is the action which sets up and filters the handshake ready for bump action at step3 (server handshake with TLS features Squid knows how to handle). The config (B) bumps at step2. That is what the old and very broken "client-first" behaviour used to be. It does not produce any errors from the proxy BUT leads directly to a huge pile of security vulnerabilities and nasty side effects that may never be seen by you. Use at your own risk. > I can Access to spliced site and no any kind of errors in access.log > > Any idea? Have you read the documentation? <https://wiki.squid-cache.org/Features/SslPeekAndSplice> Break your rules down into the stages as I have above and what is going on becomes a bit more clear. Then you can consider what ssl_bump is doing in terms of what info Squid has available. step1: TCP IP:port or CONNECT URI (forward-proxy only) step2: TLS clientHello + TLS SNI (if any) step3: TLS serverHello + server cert The entire directive set is interpreted from top-to-bottom left-to-right each step. First line to fully match is what happens for that step. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
