[prev in list] [next in list] [prev in thread] [next in thread]
List: squid-users
Subject: Re: [squid-users] Best way to prevent squid from bumping CONNECTs
From: Alex Rousskov <rousskov () measurement-factory ! com>
Date: 2020-04-30 20:05:43
Message-ID: 9d5db430-5186-1080-fb3e-abe409aed50a () measurement-factory ! com
[Download RAW message or body]
On 4/30/20 12:10 PM, Scott wrote:
>> * For http_port configured with an ssl-bump flag, HTTP CONNECT tunnels
>> are sent to the SslBump code.
>>
>> * For https_port configured with an ssl-bump flag, all traffic is sent
>> to the SslBump code (by faking a corresponding HTTP CONNECT request).
> These `fake' CONNECT requests I assume only contain the IP address of the
> upstream server, not the hostname, as intercepted SSL connections are TCP
> OPENs.
Modern Squid replaces TCP-derived destination IP address with TLS
SNI-derived domain name when generating the second fake CONNECT request.
The second CONNECT is generated during SslBump step2, after parsing TLS
client handshake.
> Am I right then in saying that using ssl::server_name is useless for bumped
> intercepted connections?
It may be useful for ACLs checked during SslBump step2 (because it will
check the TLS client SNI-derived domain name) and during step3 (when it
will check TLS server certificate-derived CN and SubjectAltName).
HTH,
Alex.
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic