[squid-users] Squid 3 SSL bump: Google drive application could not connect

[Jason Haar]

On 06/01/15 05:28, Eliezer Croitoru wrote:
> In 3.5 there will be present a new feature which called peek and
> splice that can give an interface to squid and the admin which will
> allow the admin to know couple things about the connection from squid
> and specifically first the client TLS request.
Is there an example document showing just how to do this? Looking at the
current docs, I can't quite figure out how to layer them all together to
achieve what I'd imagine 99% of sysadmins wanting to do ssl-bump need to
do. Even squid-3.4 works very well without peek/splice - if you are
using it as a formal proxy. But it all falls apart with transparent tcp
443 - as squid only has the dst IP...

What I'd like to do is to use peek to grab the SSL server name the
client sends so that  it is available to acls (and external acl calls -
and logging?) as if the client had gone "CONNECT server.name:443"?

A quick sniff with wireshark shows Firefox (as an example) sends the
server name as a client SNI request in the first "real" packet (ie after
the 3-way), so that smells to my naive understanding as "good for a
peek" - and should allow squid to do an initial chat with the client,
get the SNI, then dupe with the real server, then decide if to splice or
bump the rest? Clients that don't support SNI will probably have to be
spliced - I don't care - I'm only interested in running AV scanners and
porn filters over HTTPS requests from web browsers - the 0.1% remaining
SSL traffic can slip through the cracks for all I care ;-)
 

-- 
Cheers

Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1