Search squid archive

Re: Strange Squid SSL Interception Behavior

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Thanks Alex
From: Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx>
Sent: Wednesday, August 26, 2020 11:54 PM
To: Mathew Brown <mbrown8918@xxxxxxxxxxx>; squid-users@xxxxxxxxxxxxxxxxxxxxx <squid-users@xxxxxxxxxxxxxxxxxxxxx>
Subject: Re: Strange Squid SSL Interception Behavior
 
On 8/26/20 9:13 AM, Amos Jeffries wrote:
> On 26/08/20 11:03 pm, Mathew Brown wrote:
>> Thank you Alex + Amos :) You've really helped clarify things. I had a
>> final question regarding this setup. Does this configuration only look
>> at the client side part of the SNI request or also the server
>> certificate.

>> acl whitelist ssl::server_name .httpbin.org
>>
>> http_access deny CONNECT !SSL_ports
>> http_access allow localnet CONNECT
>>
>> ssl_bump peek step1
>> ssl_bump splice whitelist
>> ssl_bump terminate all


The above ssl_bump configuration ignores the TCP client information
(during step1) and looks at TLS client information (during the next step
-- step2). With this configuration, Squid will not see the server
certificate at all.


>> If it only looks at the client-side, how would I tell it to
>> look at the server response as well?

If you want Squid to consider the server certificate as well (during
step3), replace "step1" with "all". See ssl::server_name ACL for the
documentation of what "as well" really means in this context. Its
complicated.


> The process is all described at
> https://wiki.squid-cache.org/Features/SslPeekAndSplice

Yes, and also see the documentation for the ssl::server_name ACL. In
modern Squids, you can control what information that ACL is using.


BTW, I just realized that my earlier statements about reverse DNS
lookups were misleading: The ssl::server_name ACL does not do any DNS
lookups. When given an unresolved IP address, that ACL will usually
mismatch .httpbin.org (regardless of whether the reverse lookup would
have returned a matching domain name).


HTH,

Alex.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux