[squid-users] Squid 3 SSL bump: Google drive application could not connect

Yuri Voinov yvoinov at gmail.com
Sun Jan 4 21:29:31 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
As I can see, we have two major problems with SSL Bump now.

1. Stupid apps and it's stupid developers - like ICQ and other stupid IM
- which is hope 443 port is never be blocked due to using for
logons/internet banking etc.
This stupid way broke standards (?) and make us crazy. Now single
solution is catch them manually and pass it without bumping. This is the
simplest problem. And I hope it will be solved in core - i.e. in Squid
directly.

2. SSL Pinned sites. We cannot do with them anything excluding sniff it
and pass by IP without bump.

First problems seems to solve easy. Either by helper, or by squid - no
matter. It's really simple. Just check SSL cert on server side - and
make decision - to bump, or not to bump.

The second problem seems difficult and now I can't see any reasonable
solution, excluding sniffer/manual add to acl.

Any ideas? Will be write helper?

WBR, Yuri

05.01.2015 2:17, Douglas Davenport пишет:
> I saw a very similar feature in ufdbGuard which is a URL filter implemented as a Squid Redirector. They
have a feature which probes the destination server for a valid HTTPS
cert in parallel to the user's connection and terminates it if it turns
out not to be a valid HTTPS cert. Their code is open source, maybe this
could be helpful in creating such a helper?
>
> http://www.urlfilterdb.com/home.html
>
> On Sat, Jan 3, 2015 at 3:45 AM, Yuri Voinov <yvoinov at gmail.com
<mailto:yvoinov at gmail.com>> wrote:
>
>
> Term "HTTPS" often uses as "Any connect over 443 port"....
>
> 03.01.2015 13:59, Jason Haar пишет:
> > On 01/01/15 00:11, James Harper wrote:
> >> The helper connects to the IP:port and tries to obtain the
> certificate, and then caches the result (in an sqlite database). If it
> can't do so within a fairly short time it returns failure (but keeps
> trying a bit longer and caches it for next time). Alternatively if the
> IP used to be SSL but is now timing out it returns the previously cached
> value. Negative results are cached for an increasing amount of time each
> time it fails, on the basis that it probably isn't SSL.
> > That sounds great James! I'd certainly like to take a look at it too
>
> > However, you say "SSL"  - did you mean "HTTPS"? ie discovering a ip:port
> > is a IMAPS server doesn't really help squid talk to it - surely you want
> > to discover HTTPS servers - and everything else should be
> > pass-through/splice?
>
>
>
>     _______________________________________________
>     squid-users mailing list
>     squid-users at lists.squid-cache.org
<mailto:squid-users at lists.squid-cache.org>
>     http://lists.squid-cache.org/listinfo/squid-users
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBAgAGBQJUqbC7AAoJENNXIZxhPexGwwkH/j8XR2fQ4v/r3M2zFuDuhVsP
JZMM93IvZrGYRzJjAmmwg7ZUoYdwWWEaXoY6GygO+RdZESWfPvh00cSsxwRKfmvm
2s7sLDKlPnfUsf9fyWnihCtJg9hETZTsvUqK9I+iopiM1DHq/qwX3Pjkb2e2T45u
JuqU5ySBZPEt6G1gRn/+F2EyHdhWpa9OOtfeTAt4/oaJIuLoHP7855fif/1eg59U
QlISZkLjDcL4DqEVM+9UJh9TSN+dawj/Ks+3b+MT8sA/xvVdOyqhLMqnm4MPadSv
yvK5nQWW4rkfHOJ1zwWq3hAMLjCIXjY4q1NxNQAxdK5ESZvszecvXg3JMKo/THw=
=Ygen
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150105/d437b16d/attachment-0001.html>

More information about the squid-users mailing list