[squid-dev] [RFC] TLS peek by default

[Alex Rousskov]

On 06/05/2015 04:47 PM, Amos Jeffries wrote:

> Along these lines, I am wondering why we need to have "ssl_bump peek"
> checked for in relation to client peeking. Can we make Squid simply do
> that first 'peek' step always for all potential HTTPS connections ?


IIRC, the reasons we did not want to peek by default included:

1. Worries about non-SSL protocols that expect the server to talk first.
If we require Squid to always peek, the transaction will get stuck. We
will need to add timeouts and such, further complicating the code and
configuration. The server-talks-first protocols are real, especially in
interception setups.

2. Worries about buggy code (ours, OpenSSL, and the combination of the
two) breaking stuff for folks that do not need to peek at all. In
retrospect, these worries were well founded -- IIRC, there were quite a
few problems with peeking at certain traffic that could be temporary
worked around by disabling peeking using ACLs.

Christos, did I forget any other reasons?


> This would also give SNI and the like up front and make Squid able to
> act lot more like what people in squid-users seem to be starting off
> assuming it does.

True. I think we could change how Squid does this, but I doubt simply
hard-coding peeking is a good idea for the reasons mentioned above. A
more flexible/elegant solution is probably needed (which may not exist
at all or may be more complex than your PROXY-specific project wants to
deal with).


HTH,

Alex.