On 2/25/22 14:36, Matus UHLAR - fantomas wrote:
I only intend to splice connections but after repeated reading
https://wiki.squid-cache.org/Features/SslPeekAndSplice I still don't
understand parts of the logic.
- is the combination described at:
https://wiki.squid-cache.org/Features/SslPeekAndSplice#Basic_Splicing_and_Bumping
enough for logging SNI and cert info?
There are three combinations described in that section. The first peeks
at SNI and certificate info (so the answer is "yes"). The other two are
more complex and may not have access to some of that info in some cases.
- are peek and they completely equal at step 1?
Bugs notwithstanding, Squid does the same thing right after discovering
that a peek or stare rule matched during step1 -- Squid tries to look at
the TLS client Hello message (where SNI is stored).
The difference, if any, only comes after Squid looks at that
ClientHello. Bugs notwithstanding(*), if no ssl_bump rule matches during
step2, then the next Squid action will be either splice or bump,
depending on which rule (peek or stare) matched at the first step.
By using "peek", you tell Squid that you intend to splice if everything
goes alright; and by using stare, you tell Squid that you intend to
bump. After step1, you can still change your mind (because the immediate
Squid operations are the same -- look at ClientHello). After step2, you
cannot (because Squid operations differ and, in modern environments,
peeking precludes future bumping and staring precludes future splicing
as detailed further below).
(*) There are recently discovered bugs in this area (that we are
fixing), so you should not rely on this, but that is what Squid will be
doing when those bugs are fixed. I do not recommend relying on such
"defaults" anyway -- make sure the step after a peek or stare rule match
has a matching rule.
- what's the difference between peek and splice that makes it impossible
(most of the time) to splice (stare) or bump (peek) the connection?
* When Squid peeks, it forwards the user agent TLS client Hello message
to the TLS server intact. After forwarding that virgin Hello, Squid
cannot become a part of the TLS conversation. Squid has to splice or
terminate the connections, which are both TCP- not TLS-level operations.
* When Squid stares, Squid modifies the TLS client Hello received from
the user agent to use Squid-specific TLS secrets and then sends the
adapted ClientHello to the TLS server. After that, it is impossible for
Squid to get out of the loop -- the conversation is now based on
Squid-provided secrets. Squid has to bump or terminate the connections.
HTH,
Alex.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users