[squid-users] Transparent proxy with Peek and Splice feature.

James Harper james at ejbdigital.com.au
Fri Dec 19 22:20:34 UTC 2014


The following "works" for me:

# intercept for transparent proxy of ssl connections
https_port 3130 name=transproxyssl intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/ca.pem

# just testing with my laptop
acl james_src arp 11:11:11:11:11:11

# name of port used for transparent ssl interception
acl transproxyssl myportname transproxyssl

ssl_bump stare transproxyssl james_src
ssl_bump bump james_src
ssl_bump splice all

But "works" is probably a bit of an exaggeration. I was seeing lots of this sort of thing in the logs:
 
Error negotiating SSL on FD 75: error:1409F07F:SSL routines:SSL3_WRITE_PENDING:bad write retry (1/-1/0)
hold write on SSL connection on FD 65
BUG 3556: FD 112 is not an open socket.
assertion failed: Read.cc:69: "fd_table[conn->fd].halfClosedReader != NULL"

And squid restarting a lot. This was with squid-3.5.0.2-20141121-r13666 and so hopefully I was seeing some bugs that are now fixed, and it's not that I am abusing the configuration or something...

I'm upgrading to the latest snapshot now for further testing.

James


> -----Original Message-----
> From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On
> Behalf Of Vadim Rogoziansky
> Sent: Friday, 19 December 2014 11:29 PM
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] Transparent proxy with Peek and Splice feature.
> 
> Any ideas, any thoughts?
> Thanks.
> 
> 
> 11/29/2014 6:17 AM, Amos Jeffries написав(ла):
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > On 28/11/2014 2:48 a.m., Vadim Rogoziansky wrote:
> >> Hello Amos.
> >>
> >> Thank you for answer.
> >>
> >> There was made an investigation related to squid's peek and splice
> >> issues in transparent mode. One-line explanation is as follows - in
> >> intercept mode squid can't get a server host name from the request
> >> header and uses clent IP address instead for both fake cert
> >> generation and as a SNI record in server bump SSL handshaking. This
> >> is the root of the problem. However this can be fixed if squid uses
> >> SNI field taken from client TLS Hello message for that purposes.
> >> Can you hack squid in this way? What do you think?
> > I think peek-n-splice is supposed to already be doing that.
> >
> > However it does depend on whether you are bumping the connection at
> > step 1 (before ClientHello), step 2 (after ClientHello, before
> > ServerHello), or step 3 (after both ClientHello and ServerHello) of
> > the TLS handshake whether the SNI details are present.
> >
> > Amos
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v2.0.22 (MingW32)
> >
> >
> iQEcBAEBAgAGBQJUeUjPAAoJELJo5wb/XPRj6QEIAOHrR8wmDcjkfgUh2UtPw
> pHP
> >
> vVkPMEuIrUq9Gxx3uSojCZjlFJPuCQ2UafS1p8LuxcEQ+TRmUFbAu4AkKoO2Ro
> Z5
> > 7fCGoiXTwn4TzFf0pLh9SPBq9j12OJ3uT28EEqbILrT0sbKP02xK/qiJfCLR61Ev
> >
> vprAdggapbKg/ns1l1H3BBgZR2A4W/abQPIq6/Eu/r+7nYK6L2oOdqPDWTJjud
> MV
> >
> 8D9sdOD9mYYryrdptU0GLh9Q/V5QEhipSkuA936iZ0Dfa2ZSr4gphJyaRAFWSMf
> 3
> >
> q502lZy+ASkDa2vAbjALRBgn3VwYWl8KBQcypUKF4UXtaLtF0EIrLMun+p4QxU
> M=
> > =44aG
> > -----END PGP SIGNATURE-----
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users


More information about the squid-users mailing list