[squid-users] HTTPS intercept, simple configuration to avoid bank bumping

Josep Borrell jborrell at central.aplitec.com
Tue Jan 27 10:33:41 UTC 2015 

I agree.
Are there someone with the skills to help us with a working sample ?
is an external ACL needed as Dan remarks ?
maybe the peek and splice feature need some tuning ?
if I can help with something, tell me.

Josep



De: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] En nombre de Jason Haar
Enviado el: lunes, 26 de enero de 2015 22:34
Para: squid-users at lists.squid-cache.org
Asunto: Re: [squid-users] HTTPS intercept, simple configuration to avoid bank bumping


Well the documentation says

#   SslBump1: After getting TCP-level and HTTP CONNECT info.
#   SslBump2: After getting SSL Client Hello info.
#   SslBump3: After getting SSL Server Hello info.


So that means SslBump1 only works for direct proxy (ie CONNECT) sessions, it's SslBump2 that peeks into the traffic to discover the client SNI hostname. So I think you actually need (I'll use more descriptive acl names and comment out those that I think don't add any value)

acl domains_nobump dstdomain "/etc/squid/domains_nobump.acl"
#no added value: acl DiscoverCONNECTHost at_step SslBump1
acl DiscoverSNIHost at_step SslBump2
#don't use - breaks bump: acl DiscoverServerHost at_step SslBump3
#no added value - in fact forces peek for some reason: ssl_bump peek DiscoverCONNECTHost all
ssl_bump peek DiscoverSNIHost all

ssl_bump splice domains_nobump
#DiscoverSNIHost should now mean Squid knows about all the SNI details
ssl_bump bump all

Sadly, this doesn't work for me *in transparent mode*. Works fine when using squid as a formal proxy, but when used via https_port intercept, we end up with IP address certs instead of SNI certs.

We really need someone who knows more to tell us how to make this work :-(


--
Cheers

Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150127/0459f4c3/attachment.html>

More information about the squid-users mailing list