[squid-users] Transparent proxy with Peek and Splice feature.
Vadim Rogoziansky
vrogoziansky.squid at gmail.com
Fri Dec 19 12:29:16 UTC 2014
Any ideas, any thoughts?
Thanks.
11/29/2014 6:17 AM, Amos Jeffries написав(ла):
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 28/11/2014 2:48 a.m., Vadim Rogoziansky wrote:
>> Hello Amos.
>>
>> Thank you for answer.
>>
>> There was made an investigation related to squid's peek and splice
>> issues in transparent mode. One-line explanation is as follows - in
>> intercept mode squid can't get a server host name from the request
>> header and uses clent IP address instead for both fake cert
>> generation and as a SNI record in server bump SSL handshaking. This
>> is the root of the problem. However this can be fixed if squid uses
>> SNI field taken from client TLS Hello message for that purposes.
>> Can you hack squid in this way? What do you think?
> I think peek-n-splice is supposed to already be doing that.
>
> However it does depend on whether you are bumping the connection at
> step 1 (before ClientHello), step 2 (after ClientHello, before
> ServerHello), or step 3 (after both ClientHello and ServerHello) of
> the TLS handshake whether the SNI details are present.
>
> Amos
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (MingW32)
>
> iQEcBAEBAgAGBQJUeUjPAAoJELJo5wb/XPRj6QEIAOHrR8wmDcjkfgUh2UtPwpHP
> vVkPMEuIrUq9Gxx3uSojCZjlFJPuCQ2UafS1p8LuxcEQ+TRmUFbAu4AkKoO2RoZ5
> 7fCGoiXTwn4TzFf0pLh9SPBq9j12OJ3uT28EEqbILrT0sbKP02xK/qiJfCLR61Ev
> vprAdggapbKg/ns1l1H3BBgZR2A4W/abQPIq6/Eu/r+7nYK6L2oOdqPDWTJjudMV
> 8D9sdOD9mYYryrdptU0GLh9Q/V5QEhipSkuA936iZ0Dfa2ZSr4gphJyaRAFWSMf3
> q502lZy+ASkDa2vAbjALRBgn3VwYWl8KBQcypUKF4UXtaLtF0EIrLMun+p4QxUM=
> =44aG
> -----END PGP SIGNATURE-----
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list