[squid-users] Assistance with knowing what I'm really trying to do

Amos Jeffries squid3 at treenet.co.nz
Mon Nov 3 04:22:29 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 3/11/2014 11:12 a.m., James Lay wrote:
> A weird question....I guess I need to find out exactly what I'm
> wanting before going further with trying to get peek to work.  So
> here's a small example of what I currently have.  From my .conf
> file:
> 
> acl broken_sites dst 23.192.0.0/11 http_access allow broken_sites 
> ssl_bump splice broken_sites
> 
> logformat common %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st
> %Ss:% Sh %ssl::>cert_subject
> 
> This currently works (no cert_subject though)...log entry shown:
> 
> Nov  2 14:23:24 gateway (squid-1): 192.168.1.102 - - 
> [02/Nov/2014:14:23:24 -0700] "CONNECT 23.211.233.155:443 HTTP/1.1"
> 200 4229 TCP_TUNNEL:ORIGINAL_DST -

The TCP_TUNNEL tag shows that no bumping was done. Thus no details
from inside the TLS transaction are available.

"ssl_bump splice" means the same as "ssl_bump none" ... use the
non-bumped CONNECT handling.


> 
> Now this is required as the above will not function if bumped.
> 
> At work, we use a commercial proxy which we do not use any ssl 
> inspection.  These connections show up as, for example:
> 
> tcp://www.whateversite.com  TCP_DENIED
> 
> And that's what I'm hoping to achieve here...determine what the
> site is, and allow or denied it, without having to actually do any
> SSL inspection.  Will peek/stare accomplish this?  Or am I
> restricted to bump/inspection only, which for a fair amount of
> sites (facebook, instagram, google mail, etc) does not work.
> Thanks all...I appreciate any advice.

That depends on how you define "SSL inspection". If the TLS details
are not inspected with peek - then the details you want will not be
available.
 You can see that in the above example.

The ssl_bump access controls are now tested repeatedly in a series of
"steps" with the first matching action which is valid at the step
being performed. So I suspect the only working configurations will use
the at_step ACL type to restrict where the rest of the tests will be
performed.

If you look at the documentation for that ACL it shows the steps are
only before/after the client and server Hello messages.

I think you want to peek at step SslBump1 and splice at step SslBump3.
Or maybe peek at step 1 and 2 then splice at 3.

Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUVwMDAAoJELJo5wb/XPRjVsIIALi2WxQ6HzUEZcLCWRnDRHIk
m8C/HRZjYGT0ZMs0V6MEWv3ijbta+jeH/1xvNhcMk0y0LiI0Xcw5QKIy4JrBcbJw
IyhGcbIeKOuGiOMsvHAS5mL4FV333ql+aY1Ujp3MTjJ2MymXoInTg/FHZqz1HqaN
M95J4DQuwyz/ZaT/hsp4eTyBcV8ejuyaKDOo0XmSjwon1RapeSUZi8ohZHMGjb3G
R32rfIiqJX8z0PFaDX3wzVASFQ6PpgRPojtjSSjcATcSQm7LPKgXy1+jUPYcogLd
K92WrmeN2Y/P+08dUEe2QhGIiORPXAW5DhxnbxfCMInl9981Fbxm9KjKInL2+RY=
=J9U6
-----END PGP SIGNATURE-----


More information about the squid-users mailing list