'Re: [squid-users] Strange Squid SSL Interception Behavior'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       squid-users
Subject:    Re: [squid-users] Strange Squid SSL Interception Behavior
From:       Mathew Brown <mbrown8918 () outlook ! com>
Date:       2020-08-26 19:12:11
Message-ID: VI1PR04MB518473CDF2E370BE03A04544DF540 () VI1PR04MB5184 ! eurprd04 ! prod ! outlook ! com
[Download RAW message or body]

Thanks Alex
________________________________
From: Alex Rousskov <rousskov@measurement-factory.com>
Sent: Wednesday, August 26, 2020 11:54 PM
To: Mathew Brown <mbrown8918@outlook.com>; squid-users@lists.squid-cache.or=
g <squid-users@lists.squid-cache.org>
Subject: Re: [squid-users] Strange Squid SSL Interception Behavior

On 8/26/20 9:13 AM, Amos Jeffries wrote:
> On 26/08/20 11:03 pm, Mathew Brown wrote:
>> Thank you Alex + Amos :) You've really helped clarify things. I had a
>> final question regarding this setup. Does this configuration only look
>> at the client side part of the SNI request or also the server
>> certificate.

>> acl whitelist ssl::server_name .httpbin.org
>>
>> http_access deny CONNECT !SSL_ports
>> http_access allow localnet CONNECT
>>
>> ssl_bump peek step1
>> ssl_bump splice whitelist
>> ssl_bump terminate all


The above ssl_bump configuration ignores the TCP client information
(during step1) and looks at TLS client information (during the next step
-- step2). With this configuration, Squid will not see the server
certificate at all.


>> If it only looks at the client-side, how would I tell it to
>> look at the server response as well?

If you want Squid to consider the server certificate as well (during
step3), replace "step1" with "all". See ssl::server_name ACL for the
documentation of what "as well" really means in this context. Its
complicated.


> The process is all described at
> https://wiki.squid-cache.org/Features/SslPeekAndSplice

Yes, and also see the documentation for the ssl::server_name ACL. In
modern Squids, you can control what information that ACL is using.


BTW, I just realized that my earlier statements about reverse DNS
lookups were misleading: The ssl::server_name ACL does not do any DNS
lookups. When given an unresolved IP address, that ACL will usually
mismatch .httpbin.org (regardless of whether the reverse lookup would
have returned a matching domain name).


HTH,

Alex.

[Attachment #3 (text/html)]

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} \
</style> </head>
<body dir="ltr">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; \
color: rgb(0, 0, 0);"> Thanks Alex<br>
</div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" \
style="font-size:11pt" color="#000000"><b>From:</b> Alex Rousskov \
&lt;rousskov@measurement-factory.com&gt;<br> <b>Sent:</b> Wednesday, August 26, 2020 \
11:54 PM<br> <b>To:</b> Mathew Brown &lt;mbrown8918@outlook.com&gt;; \
squid-users@lists.squid-cache.org &lt;squid-users@lists.squid-cache.org&gt;<br> \
<b>Subject:</b> Re: [squid-users] Strange Squid SSL Interception Behavior</font> \
<div>&nbsp;</div> </div>
<div class="BodyFragment"><font size="2"><span style="font-size:11pt;">
<div class="PlainText">On 8/26/20 9:13 AM, Amos Jeffries wrote:<br>
&gt; On 26/08/20 11:03 pm, Mathew Brown wrote:<br>
&gt;&gt; Thank you Alex + Amos :) You've really helped clarify things. I had a<br>
&gt;&gt; final question regarding this setup. Does this configuration only look<br>
&gt;&gt; at the client side part of the SNI request or also the server<br>
&gt;&gt; certificate.<br>
<br>
&gt;&gt; acl whitelist ssl::server_name .httpbin.org<br>
&gt;&gt; <br>
&gt;&gt; http_access deny CONNECT !SSL_ports<br>
&gt;&gt; http_access allow localnet CONNECT<br>
&gt;&gt; <br>
&gt;&gt; ssl_bump peek step1<br>
&gt;&gt; ssl_bump splice whitelist<br>
&gt;&gt; ssl_bump terminate all<br>
<br>
<br>
The above ssl_bump configuration ignores the TCP client information<br>
(during step1) and looks at TLS client information (during the next step<br>
-- step2). With this configuration, Squid will not see the server<br>
certificate at all.<br>
<br>
<br>
&gt;&gt; If it only looks at the client-side, how would I tell it to<br>
&gt;&gt; look at the server response as well?<br>
<br>
If you want Squid to consider the server certificate as well (during<br>
step3), replace &quot;step1&quot; with &quot;all&quot;. See ssl::server_name ACL for \
the<br> documentation of what &quot;as well&quot; really means in this context. \
Its<br> complicated.<br>
<br>
<br>
&gt; The process is all described at<br>
&gt; <a href="https://wiki.squid-cache.org/Features/SslPeekAndSplice">https://wiki.squid-cache.org/Features/SslPeekAndSplice</a><br>
 <br>
Yes, and also see the documentation for the ssl::server_name ACL. In<br>
modern Squids, you can control what information that ACL is using.<br>
<br>
<br>
BTW, I just realized that my earlier statements about reverse DNS<br>
lookups were misleading: The ssl::server_name ACL does not do any DNS<br>
lookups. When given an unresolved IP address, that ACL will usually<br>
mismatch .httpbin.org (regardless of whether the reverse lookup would<br>
have returned a matching domain name).<br>
<br>
<br>
HTH,<br>
<br>
Alex.<br>
</div>
</span></font></div>
</body>
</html>


[Attachment #4 (unknown)]

_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic