Search squid archive

Re: peek & splice only to log ssl info

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2/25/22 14:36, Matus UHLAR - fantomas wrote:

I only intend to splice connections but after repeated reading https://wiki.squid-cache.org/Features/SslPeekAndSplice I still don't understand parts of the logic.

- is the combination described at:
https://wiki.squid-cache.org/Features/SslPeekAndSplice#Basic_Splicing_and_Bumping
enough for logging SNI and cert info?

There are three combinations described in that section. The first peeks at SNI and certificate info (so the answer is "yes"). The other two are more complex and may not have access to some of that info in some cases.


- are peek and they completely equal at step 1?

Bugs notwithstanding, Squid does the same thing right after discovering that a peek or stare rule matched during step1 -- Squid tries to look at the TLS client Hello message (where SNI is stored).

The difference, if any, only comes after Squid looks at that ClientHello. Bugs notwithstanding(*), if no ssl_bump rule matches during step2, then the next Squid action will be either splice or bump, depending on which rule (peek or stare) matched at the first step.

By using "peek", you tell Squid that you intend to splice if everything goes alright; and by using stare, you tell Squid that you intend to bump. After step1, you can still change your mind (because the immediate Squid operations are the same -- look at ClientHello). After step2, you cannot (because Squid operations differ and, in modern environments, peeking precludes future bumping and staring precludes future splicing as detailed further below).

(*) There are recently discovered bugs in this area (that we are fixing), so you should not rely on this, but that is what Squid will be doing when those bugs are fixed. I do not recommend relying on such "defaults" anyway -- make sure the step after a peek or stare rule match has a matching rule.


- what's the difference between peek and splice that makes it impossible   (most of the time) to splice (stare) or bump (peek) the connection?

* When Squid peeks, it forwards the user agent TLS client Hello message to the TLS server intact. After forwarding that virgin Hello, Squid cannot become a part of the TLS conversation. Squid has to splice or terminate the connections, which are both TCP- not TLS-level operations.

* When Squid stares, Squid modifies the TLS client Hello received from the user agent to use Squid-specific TLS secrets and then sends the adapted ClientHello to the TLS server. After that, it is impossible for Squid to get out of the loop -- the conversation is now based on Squid-provided secrets. Squid has to bump or terminate the connections.


HTH,

Alex.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux