[squid-dev] [RFC] "Splicing" bumped requests to resolve\workaround WebSockets issues.

Eliezer Croitoru eliezer at ngtech.co.il
Sun Jul 17 20:34:36 UTC 2016


Alex thanks for clearing things out.
I remember something's vaguely and this is why I didn't quote anything.
I tried searching for something in the squid-dev list or irc but I couldn't
found it.

"tunnel after bump" is indeed the right term and despite to what some think
in many cases the issue is not certificate pinning but...
A specially crafted binary protocol that cannot be intercepted by an HTTP
proxy.

About the on_unsupported_protocol , I am assuming it's part of the:
http://wiki.squid-cache.org/Squid-4?highlight=%28on_unsupported_protocol%29

The test cases I can think about are couple:
- CONNECT of a pinned certificate based connection(MS, SKYPE)
- CONNECT of a non TLS based connection(SKYPE)
- CONNECT of a http websocket connection(WHATSAPP?)
- CONNECT of a HTTPS based connection, non websocket(a simple banking site)
- CONNECT of a HTTPS based websocket connection(the CentOS\Fedora cockpit
have these, other suggections are welcome)
- intercepted connection for each of the cases above

I think that when we could test each and every one of these
cases(successfully) then we can move forward from beta to the next release.
(only for the bump, splice, tunnel, on_unsupported_protocol aspect of squid)

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il


-----Original Message-----
From: Alex Rousskov [mailto:rousskov at measurement-factory.com] 
Sent: Sunday, July 17, 2016 10:39 PM
To: Eliezer Croitoru; squid-dev at lists.squid-cache.org
Subject: Re: [RFC] "Splicing" bumped requests to resolve\workaround
WebSockets issues.

On 07/15/2016 04:29 AM, Eliezer Croitoru wrote:
> The issue:
> 
> Clients are issuing secured connections which contains WebSockets
> internally and squid HTTP parsing breaks these connections.

> Another related issue which deserves attention:
> 
> Certificate pinning and connection breakage.
> 
> Currently we cannot determine for many connections what is the "issue",
> is it the bumping itself of the breakage of a WebSocket http connection.



> An acceptable solution:
> 
> Alex mentioned the option to splice a bumped connection.  
> 
> I do not know exactly what Alex meant since not much details were
presented.

I do not know exactly what Alex meant either since you provided no
source for that alleged Alex' opinion.


> As I understand, it would not be possible  to do this kind of splice
> without bumping first.

I recommend avoiding "splice after bump" terminology because, in SslBump
context implied by the word "bump", that combination makes no sense: It
is not possible to splice bumped connections.

I suggest using "tunnel after bump" instead. Please note that "tunnel"
(not "splice") is one of the on_unsupported_protocol actions.


HTH,

Alex.




More information about the squid-dev mailing list