[squid-users] Squid 3 SSL bump: Google drive application could not connect

Rafael Akchurin rafael.akchurin at diladele.com
Wed Dec 31 13:11:08 UTC 2014 

Please James do if it is possible.

Best regards,
Rafael

-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of James Harper
Sent: Wednesday, December 31, 2014 12:12 PM
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

> 
> Probably non-HTTPS protocol being used.
> 
> As bumping gets more popular we are hearing about a number of services 
> abusing port 443 for non-HTTPS protocols on the false assumption that 
> the TLS layer goes all the way to the origin server without 
> inspection. That has never been a true assumption, CDN frontends have 
> always decrypted.
> 

I've mentioned it before, and it's been pointed out that it probably doesn't scale, but I wrote a callout helper for this reason and for better logging.

Basically:

external_acl_type cert_callout concurrency=20 %DST %PORT /usr/local/squid/libexec/ext_cert_callout_acl
acl is_ssl external cert_callout IS_SSL
ssl_bump bump is_ssl
ssl_bump splice all

The helper connects to the IP:port and tries to obtain the certificate, and then caches the result (in an sqlite database). If it can't do so within a fairly short time it returns failure (but keeps trying a bit longer and caches it for next time). Alternatively if the IP used to be SSL but is now timing out it returns the previously cached value. Negative results are cached for an increasing amount of time each time it fails, on the basis that it probably isn't SSL.

So it's somewhat optimistic - on a slow link or for a slow server a given IP:port might be spliced the first time when it should be bumped, but it will learn fairly quickly. And for non-SSL connections that appear to just hang in response to the request there will be an additional delay the first time. But otherwise it learns about the target without requiring admin intervention.

It also returns the name of the cert so it can be logged instead of the IP (for transparent connections), although that isn't ideal as the same IP might be used for many services (google/youtube/etc)

I can post it if anyone is interested, although it would require a bit of work to be completely useful.

James

_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list