On 5/10/19 3:34 pm, washuu wrote: > > Hi, > > I'm using Squid 3.5.27, and I want to filter some HTTPS traffic, based on > the hostnames. When Using SSL-Bump features, even for things like this you should follow the latest Squid version to make sure the TLS handling is up to date. Currently Squid-4.8 is minimal for SSL-Bump features to work well. > > my ssl-related config is as follows: > > acl step1 at_step SslBump1 > acl step2 at_step SslBump2 > ssl_bump peek step1 all > acl global_https_dst_allow ssl::server_name > "/chroot/squid/etc/squid/global_dst_whitelist" > ssl_bump splice step2 global_https_dst_allow > ssl_bump terminate step2 proxyclients > http_access allow SSL_ports > http_access allow proxyclients NP: at a guess based on their names these two ACLs are redundant. You should be able to remove the "allow SSL_Ports" line and let proxyclients do the allow. Unless you want any random external client to be allowed just because they want your proxy for HTTPS relay. > http_access deny all > > Now I see, that several SSL clients do NOT send SNI hostname in the Client > Hello message, and what I got is denied access, with the following entry in > the log: > > 1570241666.136 5 192.168.3.99 TAG_NONE/200 0 CONNECT 52.202.211.224:443 > - HIER_NONE/- - - > There is no indication of which SSL-Bump step is being performed when this log entry is recorded. This may be from the initial CONNECT request before the ClientHello is received. > I have two questions then: > > 1) For such cases, is there a possibility to filter traffic based on > certificate provided by the Server Hello (instead of SNI from Client Hello) > in step3? Only in Squid-4+, with the --server-provided flag. Like so: acl foo ssl::server_name --server-provided .example.com > 2) Is there a way, to allow (by additional ACL rule, perhaps) traffic > without SNI field set? so actually I would be filtering OUT only the > sessions where SNI was present, but the hostname did not match my whitelist. There is a special value "none" for the ssl::server_name ACL which will match if there is no server name found. (NP: It is broken prior to Squid-3.5.23 and Squid-4.1) You will need the --client-requested flag (also only in Squid-4+) to limit the server name to SNI. Be careful using this type of bypass. It essentially makes the whitelist pointless, clients just avoid sending SNI and they can do whatever they like with your proxy. That is a major security hole. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users