On Thu, Apr 30, 2020 at 04:05:43PM -0400, Alex Rousskov wrote: > On 4/30/20 12:10 PM, Scott wrote: > > >> * For http_port configured with an ssl-bump flag, HTTP CONNECT tunnels > >> are sent to the SslBump code. > >> > >> * For https_port configured with an ssl-bump flag, all traffic is sent > >> to the SslBump code (by faking a corresponding HTTP CONNECT request). > > > > These `fake' CONNECT requests I assume only contain the IP address of the > > upstream server, not the hostname, as intercepted SSL connections are TCP > > OPENs. > > Modern Squid replaces TCP-derived destination IP address with TLS > SNI-derived domain name when generating the second fake CONNECT request. > The second CONNECT is generated during SslBump step2, after parsing TLS > client handshake. > > > > Am I right then in saying that using ssl::server_name is useless for bumped > > intercepted connections? > > It may be useful for ACLs checked during SslBump step2 (because it will > check the TLS client SNI-derived domain name) and during step3 (when it > will check TLS server certificate-derived CN and SubjectAltName). acl tcp_open_connect_sslbump at_step SslBump1 acl ssl_splice_sni ssl::server_name "/usr/local/etc/squid/acls/splice_sni" acl guest_net_src src x.y.z.0/24 ssl_bump peek tcp_open_connect_sslbump ssl_bump splice ssl_splice_sni ssl_bump bump guest_net_src ssl_bump splice where I splice instead of bump for destinations that are often used with certificate pinning software (.apple.com with iOS for example). https://wiki.squid-cache.org/Features/SslPeekAndSplice says "At no point during ssl_bump processing will dstdomain ACL work". Does that also imply that `ssl::server_name' won't work (or is not required) for `http_access' statements? I have config like this: acl no_proxy_dstdomain dstdomain "/usr/local/etc/squid/acls/no_proxy_dstdomain" http_access deny no_proxy_dstdomain acl no_proxy_sni ssl::server_name "/usr/local/etc/squid/acls/no_proxy_dstdomain" http_access deny no_proxy_sni Are the last two lines redundant? Or are they required for spliced connections? Or should I just convert those lines into ssl_bump terminate no_proxy_sni ? And finally, I want to use a different outgoing tcp address for intercepted connections. What's the best ACL to match those? Or should I just match explicit proxy connections by port? (ie !myport 3128) Thanks for your help, Scott _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
