[prev in list] [next in list] [prev in thread] [next in thread] 

List:       squid-users
Subject:    Re: [squid-users] Best way to prevent squid from bumping CONNECTs
From:       Alex Rousskov <rousskov () measurement-factory ! com>
Date:       2020-04-30 20:05:43
Message-ID: 9d5db430-5186-1080-fb3e-abe409aed50a () measurement-factory ! com
[Download RAW message or body]

On 4/30/20 12:10 PM, Scott wrote:

>> * For http_port configured with an ssl-bump flag, HTTP CONNECT tunnels
>> are sent to the SslBump code.
>>
>> * For https_port configured with an ssl-bump flag, all traffic is sent
>> to the SslBump code (by faking a corresponding HTTP CONNECT request).


> These `fake' CONNECT requests I assume only contain the IP address of the 
> upstream server, not the hostname, as intercepted SSL connections are TCP 
> OPENs.

Modern Squid replaces TCP-derived destination IP address with TLS
SNI-derived domain name when generating the second fake CONNECT request.
The second CONNECT is generated during SslBump step2, after parsing TLS
client handshake.


> Am I right then in saying that using ssl::server_name is useless for bumped 
> intercepted connections?

It may be useful for ACLs checked during SslBump step2 (because it will
check the TLS client SNI-derived domain name) and during step3 (when it
will check TLS server certificate-derived CN and SubjectAltName).


HTH,

Alex.
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[prev in list] [next in list] [prev in thread] [next in thread]