[squid-dev] Changed SSL bump event ordering

Alex Rousskov rousskov at measurement-factory.com
Mon Sep 18 18:33:15 UTC 2017


On 09/18/2017 10:44 AM, Steve Hill wrote:

> I'm not sure when this changed - more debugging tomorrow but I thought
> I'd post what I've found so far in case anyone has any input.
> 
> When peek/splice was first introduced, as far as I remember it worked
> like this (for transparently proxied connections):
> 
> 1. Connection is accepted.
> 2. The ssl_bump ACL is checked for step 1 (my config produces a "peek"
> result).
> 3. The TLS session is peeked.
> 4. A fake CONNECT is produced containing the host name from the peeked SNI.
> 5. The spoof_client_ip, http_access, adaptation_access and cache ACLs
> are checked.
> 7. ICAP REQMOD callout
> 6. The ssl_bump ACL is checked for step 2.


> Testing with Squid 3.5.26, this event order has changed, moving the
> peeking process until later:
> 
> 1. Connection is accepted.
> 2. ssl_bump ACL is checked for step 1 (returning "peek").
> 3. A fake CONNECT is produced containing the web server's IP address.
> 4. The spoof_client_ip, http_access, adaptation_access and cache ACLs
> are checked.
> 5. The TLS session is peeked.
> 6. The ssl_bump ACL is checked for step 2.
> (The ICAP REQMOD callout no longer seems to happen)

AFAICT, neither summary is how things should work. The first is missing
IP-based CONNECT adaptation. The second is missing SNI-based CONNECT
adaptation. You need just the second one, but both should be there to
cover typical use cases.

Also, I would expect the first adaptation and http_access checks
_before_ the first ssl_bump check (as documented at the wiki page
below), not after it (as shown in your second list):

  https://wiki.squid-cache.org/Features/SslPeekAndSplice


> Am I missing something or has this all changed at some point?

This reminds me of the following fix, but I have not investigated (or
forgot) whether that fix is needed in v3.5, whether that fix is about
the same problem you are describing, and whether there are other
problems that may have similar symptoms:

https://github.com/squid-cache/squid/commit/75f6c253bcf019665b736ebc6d257cd56bfca400

If it is not difficult, please see whether Squid v5/master works OK.


Thank you,

Alex.


More information about the squid-dev mailing list