[squid-users] Squid 3 SSL bump: Google drive application could not connect

[Jason Haar]

On 08/01/15 18:41, Chris Bennett wrote:
> Interesting thread so far.  Has anyone thought of using Bro-IDS as a
> feedback loop for some of this advanced logic for bypassing bumping?

The external acl method mentioned earlier probably out-does using some
NIDS feedback loop. In my testing it causes squid to block that new
connection until it returns, and that means your external acl script can
simply attempt a SSL transaction against the end-server and in realtime
figure out that it's SSL or not. And then cache it, blah, blah blah.

The advantage is that it will do a lookup on new HTTPS sessions and
potentially have the answer immediately (ie it can bump on first
attempt), whereas a NIDS would only find out the answer after squid has
defaulted to passthrough/splice mode, so it would only work properly on
future connections to that site.

> I like the active external acl solution since it meets a need, but
> there is overhead.  I'm not quite sure what Bro logs for non-HTTPS
> 443 traffic, but I thought I'd chime in with the above idea if anyone
> wants to expand on it further :)

If you think the external acl method is too expensive to run, how do you
expect to feed this NIDS data back into squid? I think you'd find you'd
need an external acl check to do that bit anyway :-)

-- 
Cheers

Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1