[prev in list] [next in list] [prev in thread] [next in thread]
List: squid-users
Subject: Re: [squid-users] Strange Squid SSL Interception Behavior
From: Mathew Brown <mbrown8918 () outlook ! com>
Date: 2020-08-26 19:12:11
Message-ID: VI1PR04MB518473CDF2E370BE03A04544DF540 () VI1PR04MB5184 ! eurprd04 ! prod ! outlook ! com
[Download RAW message or body]
Thanks Alex
________________________________
From: Alex Rousskov <rousskov@measurement-factory.com>
Sent: Wednesday, August 26, 2020 11:54 PM
To: Mathew Brown <mbrown8918@outlook.com>; squid-users@lists.squid-cache.or=
g <squid-users@lists.squid-cache.org>
Subject: Re: [squid-users] Strange Squid SSL Interception Behavior
On 8/26/20 9:13 AM, Amos Jeffries wrote:
> On 26/08/20 11:03 pm, Mathew Brown wrote:
>> Thank you Alex + Amos :) You've really helped clarify things. I had a
>> final question regarding this setup. Does this configuration only look
>> at the client side part of the SNI request or also the server
>> certificate.
>> acl whitelist ssl::server_name .httpbin.org
>>
>> http_access deny CONNECT !SSL_ports
>> http_access allow localnet CONNECT
>>
>> ssl_bump peek step1
>> ssl_bump splice whitelist
>> ssl_bump terminate all
The above ssl_bump configuration ignores the TCP client information
(during step1) and looks at TLS client information (during the next step
-- step2). With this configuration, Squid will not see the server
certificate at all.
>> If it only looks at the client-side, how would I tell it to
>> look at the server response as well?
If you want Squid to consider the server certificate as well (during
step3), replace "step1" with "all". See ssl::server_name ACL for the
documentation of what "as well" really means in this context. Its
complicated.
> The process is all described at
> https://wiki.squid-cache.org/Features/SslPeekAndSplice
Yes, and also see the documentation for the ssl::server_name ACL. In
modern Squids, you can control what information that ACL is using.
BTW, I just realized that my earlier statements about reverse DNS
lookups were misleading: The ssl::server_name ACL does not do any DNS
lookups. When given an unresolved IP address, that ACL will usually
mismatch .httpbin.org (regardless of whether the reverse lookup would
have returned a matching domain name).
HTH,
Alex.
[Attachment #3 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} \
</style> </head>
<body dir="ltr">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; \
color: rgb(0, 0, 0);"> Thanks Alex<br>
</div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" \
style="font-size:11pt" color="#000000"><b>From:</b> Alex Rousskov \
<rousskov@measurement-factory.com><br> <b>Sent:</b> Wednesday, August 26, 2020 \
11:54 PM<br> <b>To:</b> Mathew Brown <mbrown8918@outlook.com>; \
squid-users@lists.squid-cache.org <squid-users@lists.squid-cache.org><br> \
<b>Subject:</b> Re: [squid-users] Strange Squid SSL Interception Behavior</font> \
<div> </div> </div>
<div class="BodyFragment"><font size="2"><span style="font-size:11pt;">
<div class="PlainText">On 8/26/20 9:13 AM, Amos Jeffries wrote:<br>
> On 26/08/20 11:03 pm, Mathew Brown wrote:<br>
>> Thank you Alex + Amos :) You've really helped clarify things. I had a<br>
>> final question regarding this setup. Does this configuration only look<br>
>> at the client side part of the SNI request or also the server<br>
>> certificate.<br>
<br>
>> acl whitelist ssl::server_name .httpbin.org<br>
>> <br>
>> http_access deny CONNECT !SSL_ports<br>
>> http_access allow localnet CONNECT<br>
>> <br>
>> ssl_bump peek step1<br>
>> ssl_bump splice whitelist<br>
>> ssl_bump terminate all<br>
<br>
<br>
The above ssl_bump configuration ignores the TCP client information<br>
(during step1) and looks at TLS client information (during the next step<br>
-- step2). With this configuration, Squid will not see the server<br>
certificate at all.<br>
<br>
<br>
>> If it only looks at the client-side, how would I tell it to<br>
>> look at the server response as well?<br>
<br>
If you want Squid to consider the server certificate as well (during<br>
step3), replace "step1" with "all". See ssl::server_name ACL for \
the<br> documentation of what "as well" really means in this context. \
Its<br> complicated.<br>
<br>
<br>
> The process is all described at<br>
> <a href="https://wiki.squid-cache.org/Features/SslPeekAndSplice">https://wiki.squid-cache.org/Features/SslPeekAndSplice</a><br>
<br>
Yes, and also see the documentation for the ssl::server_name ACL. In<br>
modern Squids, you can control what information that ACL is using.<br>
<br>
<br>
BTW, I just realized that my earlier statements about reverse DNS<br>
lookups were misleading: The ssl::server_name ACL does not do any DNS<br>
lookups. When given an unresolved IP address, that ACL will usually<br>
mismatch .httpbin.org (regardless of whether the reverse lookup would<br>
have returned a matching domain name).<br>
<br>
<br>
HTH,<br>
<br>
Alex.<br>
</div>
</span></font></div>
</body>
</html>
[Attachment #4 (unknown)]
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic