[squid-users] Peek and splice without replacing the certificates

[Amos Jeffries]

On 15/12/2015 5:52 a.m., Marcus Kool wrote:
> 
> 
> On 12/14/2015 06:43 AM, Парфенович Н.А. wrote:
>> Hello! Show you how to use Squid in transparent mode for tracking
>> HTTPS without replacing the certificates?
>> My squid.conf: http://pastebin.ru/AWU8LXvK. If such a configuration file
>> to use version 3.5.8 squid compiled using Libressl, everything works
>> fine. But if you use version 3.5.9 and above, Squid begins to
>> "terminated" in
>> the number of clients above 20. Moreover, interrupted for no apparent
>> reason and messages in the logs. Also tested versions> = 4.0, the
>> effect is the same - Squid "terminated". How to overcome the problem?
>> Correct any
>> configuration I have? Thank you in advance. PS .: Sorry for my english
> 
> Depending on how you define "tracking" ...
> 
> Your squid config has:
> 
> acl blocked ssl::server_name  "/etc/squid/blocked_https.txt"
> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump terminate blocked
> ssl_bump splice all
> 
> So it seems that you want to peek and block a few sites based on the SNI
> and splice all other allowed sites.
> When you splice, the TLS/SSL connection is untouched so the original
> certificates of the webservers are used.
> I am not 100% sure, but it seems that to configure sslbump, one must
> define a fake CA certificate to tell Squid to do sslbumping.
> But since you never bump (only terminate or splice) the fake CA
> certificate is never used.

Sort of. The terminate action does need to do a full bump with what used
to be called client-first style of bumping. Otherwise for splice-only
they are unused, but still need to be properly configured just to enable
ssl_bump processing in current Squid.

> 
> To debug the sslbump feature you need to set
> debug_options ALL,1 33,9 83,9
> and carefully look at cache.log to see what is going wrong.
> 
> Marcus

Amos