[squid-users] HTTPS intercept, simple configuration to avoid bank bumping
Jason Haar
Jason_Haar at trimble.com
Tue Jan 27 21:02:35 UTC 2015
I might have found something
Turning up debugging shows that squid is learning the SNI value from an
intercepted/transparent HTTPS session (or is it learnt from the server
response?)
2015/01/28 09:23:34.328 kid1| bio.cc(835) parseV3Hello: Found server
name: www.kiwibank.co.nz
Looking that up in the source code, it's from bio.cc. However the same
file implies I should also be seeing the SNI debug line:
#if defined(TLSEXT_NAMETYPE_host_name)
if (const char *server = SSL_get_servername(ssl,
TLSEXT_NAMETYPE_host_name))
serverName = server;
debugs(83, 7, "SNI server name: " << serverName);
#endif
On my test Ubuntu 14.04 laptop with squid-3.5.1 and openssl-1.0.1f,
TLSEXT_NAMETYPE_host_name is defined in /usr/include/openssl/tls1.h, so
that should cause that debug line to be called - but it isn't?
I also confirmed with wireshark that my Firefox browser was generating a
SNI (although it took me a few minutes to realise I have to sniff port
3129 [which I redirected 443 onto] as well as 443 to get the full tcp
session)
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the squid-users
mailing list