[squid-dev] SSL-BUMP distinguish between mobile devices such as IOS or ANDROID vs PC request
Eliezer Croitoru
eliezer at ngtech.co.il
Fri Feb 23 01:20:00 UTC 2018
OK then.
If it's doable then it's only waiting for the client who will want to fund this feature.
Thanks,
Eliezer
----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il
-----Original Message-----
From: Alex Rousskov [mailto:rousskov at measurement-factory.com]
Sent: Thursday, February 22, 2018 23:19
To: Eliezer Croitoru <eliezer at ngtech.co.il>; squid-dev at lists.squid-cache.org
Subject: Re: [squid-dev] SSL-BUMP distinguish between mobile devices such as IOS or ANDROID vs PC request
On 02/22/2018 11:56 AM, Eliezer Croitoru wrote:
> I was wondering about the options to distinguish mobile devices TLS\SSL
> requests compared to PC one's.
You need ACLs that can match various TLS Client Hello fields (mostly
message version, protocol version, and ciphers) and a knowledgebase of
typical Hellos for the devices/clients you are interested in. A
Hello-based solution cannot be 100% reliable, but I bet you can identify
many popular OS versions (and, as a consequence, even some physical
devices) with a good-enough probability (for most applications).
IIRC, Squid does not have ACLs that interrogate TLS Client Hello with
the exception of SNI (i.e., ssl::server_name --client_requested).
However, it should not be very difficult to add such ACLs and they would
be generally useful IMO.
Forward proxies can also examine CONNECT headers. That is already
supported AFAIK.
Examining TCP/IP packet headers would also be useful in many cases, but
that is harder to do directly in Squid.
HTH,
Alex.
More information about the squid-dev
mailing list