[squid-dev] [PATCH] invalid certificates and spliced connections

[Amos Jeffries]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 20/12/2014 7:27 a.m., Tsantilas Christos wrote:


Okay. "transparent" is good there.





A) Consider that CONNECT is always attempted being bumped, but non-TLS
protocols exist within CONNECT.
 Also non-TLS protocols over port 443.
 Also SSL v1 / v2 / v3 over port 443 when the library used by Squid
has all support and knowledge of those protocols removed.

According to at least one user report Skype uses a TLS look-alike
clientHello and something strange as serverHello. So we may not be
able to rely on clientHello to indicate TLS. I dont know for certain
the accuracy of that, you may have observed it or know differently.


B) Remember that TLS is about *security*. In security decision making
you validate strictly and if it fails to pass you abort (fail closed)
quickly with nothing or a code containing as few details as necessary
to be clear something is wrong.


In the (A) vs (B) cases above the errors are all internal to TLS. No
need to get HTTP involved if we can avoid it. If there is a TLS alert
code to signal malformed traffic, use it, otherwise just abort.

Possibly a fast ACL is appropriate:
   ssl_bump_error allow/deny [acls...]

Which is run to make the above decision. ONLY in the event that TLS
protocol syntax errors or malformations.  Not for cert/cipher/option
issues such as bad combinations of valid things, or insecure settings.
 Default action on this *_error directive should be "deny all".

Amos

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUlISSAAoJELJo5wb/XPRjmfEIALgYe7YaYQw2pw/EdgSfpjaX
kMEoxEijZQn88+ljTAKOGSJLL8mAdEQufyhgT3qUkWwV7+wcBDp+TfbR4c1Pl+XV
sUBBSIdQ1i7sNLMVE9AVAkK+4DL+O+ifSZdBPRRs8lgobF9xfcTmYzTn5PSh4kIV
yfs+tu4vwPe0JOJ1+31TS67uGti+fGDufkEx68LAImLONqH5FwkgZO+vt3X4q97t
dDq1+rrv2LJBj7eWSBDhlI96zGMeEY/H5z2osyTcoxT98RD/g2aohPpJ4LuBUg2E
bujb3FhwU72U3mgheDTIWn1iig/GBr4CSwXAxvZoCSJS/oMPl5/hAJcWHsYePEU=
=Vg/W
-----END PGP SIGNATURE-----