'Re: [squid-users] Call for adaptation after sni peeked'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       squid-users
Subject:    Re: [squid-users] Call for adaptation after sni peeked
From:       Jatin Bhasin <jbhasin83 () gmail ! com>
Date:       2019-10-28 7:25:16
Message-ID: CAGRJihX7G3qUp2ApFxbJJzrPKifs0LbiSq53CA-i07T6Ny7+uA () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Hi Alex,

If I use below squid configuration:

    ssl_bump peek step1
    ssl_bump splice all

I would see fake connect request in step 2 as well. I did not check squid
version 4 but squid version 3 will send second fake connect in ecap adapter
only if we splice step 2 which will be true in above configuration.
But I don't want to splice step 2, well not always. I want my ecap adapter
to get fake connect in all cases in step 2 so that I can then make a
decision on step 2 whether to splice or bump in step 2.
In other words at the end of step 1 squid could make a call to adaptation
acl (it does not currently) which will help to make decisions based on sni
(if available).

As per my understanding squid makes call to adaptation acl in following
cases:
Step 1 - At start of connection but here only ip is available.
Step 2 - only when splicing
I did not check any further from here because then mostly its too late to
bump anyway.

I am happy to send following to another group if you can suggest:
I made a manual code change for acl adaptation at the end of step 1 and I
was able to send fake connect with sni to ecap. I wanted to understand from
experts if these changes are incorrect and may causes issues in some cases
I don't know about?

Thanks,
Jatin

On Thu., 24 Oct. 2019, 07:55 Alex Rousskov, <
rousskov@measurement-factory.com> wrote:

> On 10/23/19 3:37 PM, Jatin Bhasin wrote:
>
> > This question is related to ssl decryption and ecap adaptation call.
> > When the ssl connection starts then before it even extracts sni squid
> sends
> > fakeConnect which comes to ecap as well.
>
> Yes, this happens during SslBump step1 as described at
> https://wiki.squid-cache.org/Features/SslPeekAndSplice
>
>
> > I am using peek in step 1 and after fakeConnect squid extracts the sni,
> > but at this point squid does not make another call to ecap.
>
> According to the above wiki page (and my understanding of how SslBump
> should work), Squid should make another adaptation pass during step2.
> You may want to make sure that your Squid does not discover some error
> _before_ it can start doing eCAP during step2.
>
> If your eCAP service does not see the second CONNECT (during step2), I
> suggest using the latest Squid v4 with the following "minimal" SslBump
> configuration:
>
>     ssl_bump peek step1
>     ssl_bump splice all
>
> Does the above work without problems when eCAP is turned off?
>
> Does the above deliver the second CONNECT to eCAP when it is enabled?
>
>
> > This function in squid is startPeekAndSpliceDone in file
> > client_side.cc
>
>
> We should not be discussing code details on squid-users, but the latest
> Squid v4 does not have that function AFAICT:
>
> > $ git grep startPeekAndSpliceDone SQUID_4_8 | wc -l
> > 0
>
>
> Alex.
> _______________________________________________
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>

[Attachment #5 (text/html)]

<div dir="auto">Hi Alex,<div dir="auto"><br></div><div dir="auto">If I use below \
squid configuration:</div><div dir="auto"><br \
style="font-family:sans-serif;font-size:12.8px"><span \
style="font-family:sans-serif;font-size:12.8px">      ssl_bump peek step1</span><br \
style="font-family:sans-serif;font-size:12.8px"><span \
style="font-family:sans-serif;font-size:12.8px">      ssl_bump splice \
all</span><br></div><div dir="auto"><span \
style="font-family:sans-serif;font-size:12.8px"><br></span></div><div \
dir="auto"><span style="font-family:sans-serif;font-size:12.8px">I would see fake \
connect request in step 2 as well. I did not check squid version 4 but squid version \
3 will send second fake connect in ecap adapter only if we splice step 2 which will \
be true in above configuration.</span></div><div dir="auto"><span \
style="font-family:sans-serif;font-size:12.8px">But I don&#39;t want to splice step \
2, well not always. I want my ecap adapter to get fake connect in all cases in step 2 \
so that I can then make a decision on step 2 whether to splice or bump in step \
2.</span></div><div dir="auto"><font face="sans-serif"><span \
style="font-size:12.8px">In other words at the end of step 1 squid could make a call \
to adaptation acl (it does not currently) which will help to make decisions based on \
sni (if available).</span></font></div><div dir="auto"><font face="sans-serif"><span \
style="font-size:12.8px"><br></span></font></div><div dir="auto"><font \
face="sans-serif"><span style="font-size:12.8px">As per my understanding squid makes \
call to adaptation acl in following cases:</span></font></div><div dir="auto"><font \
face="sans-serif"><span style="font-size:12.8px">Step 1 - At start of connection but \
here only ip is available.  </span></font></div><div dir="auto"><font \
face="sans-serif"><span style="font-size:12.8px">Step 2 - only when splicing  \
</span></font></div><div dir="auto"><font face="sans-serif"><span \
style="font-size:12.8px">I did not check any further from here because then mostly \
its too late to bump anyway.</span></font></div><div dir="auto"><font \
face="sans-serif"><span style="font-size:12.8px"><br></span></font></div><div \
dir="auto"><font face="sans-serif"><span style="font-size:12.8px">I am happy to send \
following to another group if you can suggest:</span></font></div><div \
dir="auto"><font face="sans-serif"><span style="font-size:12.8px">I made a manual \
code change for acl adaptation at the end of step 1 and I was able to send fake \
connect with sni to ecap. I wanted to understand from experts if these changes are \
incorrect and may causes issues in some cases I don&#39;t know about?  \
</span></font></div><div dir="auto"><font face="sans-serif"><span \
style="font-size:12.8px"><br></span></font></div><div dir="auto"><font \
face="sans-serif"><span style="font-size:12.8px">Thanks,  </span></font></div><div \
dir="auto"><font face="sans-serif"><span \
style="font-size:12.8px">Jatin</span></font></div></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu., 24 Oct. 2019, 07:55 \
Alex Rousskov, &lt;<a \
href="mailto:rousskov@measurement-factory.com">rousskov@measurement-factory.com</a>&gt; \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex">On 10/23/19 3:37 PM, Jatin Bhasin \
wrote:<br> <br>
&gt; This question is related to ssl decryption and ecap adaptation call.  <br>
&gt; When the ssl connection starts then before it even extracts sni squid sends  \
<br> &gt; fakeConnect which comes to ecap as well.<br>
<br>
Yes, this happens during SslBump step1 as described at<br>
<a href="https://wiki.squid-cache.org/Features/SslPeekAndSplice" rel="noreferrer \
noreferrer" target="_blank">https://wiki.squid-cache.org/Features/SslPeekAndSplice</a><br>
 <br>
<br>
&gt; I am using peek in step 1 and after fakeConnect squid extracts the sni,<br>
&gt; but at this point squid does not make another call to ecap.<br>
<br>
According to the above wiki page (and my understanding of how SslBump<br>
should work), Squid should make another adaptation pass during step2.<br>
You may want to make sure that your Squid does not discover some error<br>
_before_ it can start doing eCAP during step2.<br>
<br>
If your eCAP service does not see the second CONNECT (during step2), I<br>
suggest using the latest Squid v4 with the following &quot;minimal&quot; SslBump<br>
configuration:<br>
<br>
      ssl_bump peek step1<br>
      ssl_bump splice all<br>
<br>
Does the above work without problems when eCAP is turned off?<br>
<br>
Does the above deliver the second CONNECT to eCAP when it is enabled?<br>
<br>
<br>
&gt; This function in squid is startPeekAndSpliceDone in file<br>
&gt; client_side.cc<br>
<br>
<br>
We should not be discussing code details on squid-users, but the latest<br>
Squid v4 does not have that function AFAICT:<br>
<br>
&gt; $ git grep startPeekAndSpliceDone SQUID_4_8 | wc -l<br>
&gt; 0<br>
<br>
<br>
Alex.<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank" \
rel="noreferrer">squid-users@lists.squid-cache.org</a><br> <a \
href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer noreferrer" \
target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br> \
</blockquote></div>


[Attachment #6 (text/plain)]

_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic