[squid-users] Transparent proxy with Peek and Splice feature.
Amos Jeffries
squid3 at treenet.co.nz
Sat Nov 29 04:17:19 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 28/11/2014 2:48 a.m., Vadim Rogoziansky wrote:
> Hello Amos.
>
> Thank you for answer.
>
> There was made an investigation related to squid's peek and splice
> issues in transparent mode. One-line explanation is as follows - in
> intercept mode squid can't get a server host name from the request
> header and uses clent IP address instead for both fake cert
> generation and as a SNI record in server bump SSL handshaking. This
> is the root of the problem. However this can be fixed if squid uses
> SNI field taken from client TLS Hello message for that purposes.
> Can you hack squid in this way? What do you think?
I think peek-n-splice is supposed to already be doing that.
However it does depend on whether you are bumping the connection at
step 1 (before ClientHello), step 2 (after ClientHello, before
ServerHello), or step 3 (after both ClientHello and ServerHello) of
the TLS handshake whether the SNI details are present.
Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iQEcBAEBAgAGBQJUeUjPAAoJELJo5wb/XPRj6QEIAOHrR8wmDcjkfgUh2UtPwpHP
vVkPMEuIrUq9Gxx3uSojCZjlFJPuCQ2UafS1p8LuxcEQ+TRmUFbAu4AkKoO2RoZ5
7fCGoiXTwn4TzFf0pLh9SPBq9j12OJ3uT28EEqbILrT0sbKP02xK/qiJfCLR61Ev
vprAdggapbKg/ns1l1H3BBgZR2A4W/abQPIq6/Eu/r+7nYK6L2oOdqPDWTJjudMV
8D9sdOD9mYYryrdptU0GLh9Q/V5QEhipSkuA936iZ0Dfa2ZSr4gphJyaRAFWSMf3
q502lZy+ASkDa2vAbjALRBgn3VwYWl8KBQcypUKF4UXtaLtF0EIrLMun+p4QxUM=
=44aG
-----END PGP SIGNATURE-----
More information about the squid-users
mailing list