[squid-dev] Introduction / SslBump upstream ssl proxy support
squid3 at treenet.co.nz
Tue Aug 1 09:42:58 UTC 2017
On 21/07/17 01:11, Mihai Ene wrote:
> I'm a developer with higher level languages experience very little
> commercial c++ development on my hands.
> I've been following the SslBump feature for a while now, and this
> includes source code changes. SslBumping with upstream proxies was
> completely restricted when bug 3209 was patched in 2011, however, I
> believe the patch is too restrictive. I agree with Amos's statement that
> a plaintext information leak is highly unsafe, but the patch also
> prevents ssl upstream proxies usage.
That bug was 6 years ago, and the comments were specifically about using
plain-text peer connections. The patch was made to cover all parent
peers because ...
The problem Squid still has with SSL/TLS peers is not that they leak
info (they are contacted using TLS after all). It is that explicit-TLS
proxies use their own certs instead of mimic'd ones so they present
Squid with a cert other than the origin server cert. That has
side-effects at the child proxy where bumping cannot mimic the origin
cert details, and SSL-Bump ends up presenting a clearly invalid cert
which reasonable clients reject.
In order for the bumping to work without user-visible issues at present
the best way is for the child proxy to go to its DIRECT or ORIGINAL_DST,
then get re-intercepted into the parent and re-bumped there. Such that
the parent mimics the origin cert and it gets to the child proxy, then
> In order to prevent plaintext and still use upstream proxies, I propose
> the following changes (tested in intranet, in production) which enable
> upstream proxies after ssl bumping, as long as the proxies are ssl
> - version 4.x
> - version 3.5.x
FYI: we are now using github PR system as the only way to accept changes
Can you please do your submission as a PR request against the
https://github.com/squid-cache/squid repository master branch. It needs
to be accepted there before PR against the beta and stable branches code
will be considered (in that order).
More information about the squid-dev