[squid-dev] Hello and ssl_bump and External ACLs - 4.0.2

Dave Lewthwaite Dave.Lewthwaite at realitymine.com
Mon Nov 23 12:16:38 UTC 2015 

Hi,

I’ve finally found time to join the dev mailing list, I work with squid on a daily basis and we’re always needing the latest features which often causes to use beta’s and nightlies rather than final releases. At the moment I’m having an issue with SSL peek and splice with external ACLs.

I'm using Squid 4.0.2 compiled for CentOS 7 and i'm having issues with the SSL peek and splice configuration that previously worked in 3.5.11 with no problems. (The reason to update is to get eliptic curve cipher support).

Relavent config

external_acl_type extallowedSslUsers children-startup=1 children-max=40 ttl=0 negative_ttl=0 %MYPORT %SRC %{X-Proxy-Port}>h %{User-Agent}>h %DST %ssl::>sni /etc/squid/acl/aclSSLInterceptUsers.php
acl allowedSslUsers external extallowedSslUsers

acl DiscoverSNIHost at_step SslBump1

ssl_bump stare DiscoverSNIHost all
ssl_bump bump allowedSslUsers
ssl_bump splice all

In this configuration when using a normal proxy port or transparent port, the external ACL is never evaluated - it logs

WARNING: allowedSslUsers ACL is used in context without an ALE state. Assuming mismatch.

Changing DiscoverSNIHost to be SslBump2 causes the external acl to be evaluated for normal proxy port (but SNI is not populated) but still not for transparent proxy.

The aim is to retrieve the SNI sent by the client to use in both logging and the external ACL.

Swapping stare for peek gives the same behaviour. As far as I can tell, if the system hits this point (without an ALE state) it will skip the ACL check and return false – obviously that’s a problem – I’ve also tried stripping out parameters from the external acl to no avail.

Is this a bug or a mis-configuration?

I can supply debug logs, traces etc if required.

Thanks


Dave Lewthwaite
Infrastructure Systems Architect, RealityMine

[cid:2A866CD1-FB22-42AF-8EC3-AE86345E4557]
E: davel at realitymine.com<mailto:davel at realitymine.com> | M: +44 (0) 7919 100 358 | W: www.realitymine.com<http://www.realitymine.com/> | T:  +44 (0) 161 414 0707

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20151123/04efaf6e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: AB77E50D-9940-4F90-9B76-06A0E4BDC5F0[3].png
Type: image/png
Size: 8554 bytes
Desc: AB77E50D-9940-4F90-9B76-06A0E4BDC5F0[3].png
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20151123/04efaf6e/attachment.png>

More information about the squid-dev mailing list