[squid-users] ssl_bump and SNI

James Lay jlay at slave-tothe-box.net
Mon Jun 1 11:10:48 UTC 2015


On Mon, 2015-06-01 at 12:12 +1000, Nathan Hoad wrote:

> Hello,
> 
> Here are some excerpts of what I've used, and an example Python helper:
> 
> https_port 60099 intercept ssl-bump tcpkeepalive
> cert=/path/to/cert.pem key=/path/to/key.pem options=NO_SSLv2,NO_SSLv3
> generate-host-certificates=on
> 
> external_acl_type sni ttl=30 concurrency=X children-max=Y
> children-startup=Z %ssl::>sni /path/to/your/helper
> 
> acl sni_exclusions external sni
> acl tcp_level at_step SslBump1
> acl client_hello_peeked at_step SslBump2
> 
> ssl_bump peek tcp_level all
> ssl_bump splice client_hello_peeked sni_exclusions
> ssl_bump bump all
> 
> Helper:
> 
> import sys
> 
> line = sys.stdin.read()
> 
> # run loop until an empty read, which indicates the process should shut down.
> while line:
>     concurrency_id, sni = line.split()
> 
>     if sni == 'wellsfargo.com':
>         sys.stdout.write('%s OK\n' % concurrency_id)
>     else:
>         sys.stdout.write('%s ERR\n' % concurrency_id)
> 
>     line = sys.stdin.read()
> 
> Hope that helps,
> 
> Nathan.
> 
> On 30 May 2015 at 01:14, James Lay <jlay at slave-tothe-box.net> wrote:
> > On 2015-05-29 08:57 AM, Nathan Hoad wrote:
> >>
> >> Yes, I have it working on about a dozen deployments so far, using an
> >> external ACL to make bumping decisions based on the SNI server name
> >> and a few other things. No complaints from me, it Just Works.
> >> On 29/05/2015 5:50 pm, "sp_" <apani at yandex.ru> wrote:
> >>
> >>> Hello,
> >>>
> >>> does anyone have the working squid 3.5 with intercept + https?
> >>> I've googled a lot, but seems there is no any positive experience
> >>> with it.
> >>>
> >>> --
> >>> View this message in context:
> >>>
> >>
> >> http://squid-web-proxy-cache.1019090.n4.nabble.com/ssl-bump-and-SNI-tp4670207p4671432.html
> >>>
> >>> [1]
> >>> Sent from the Squid - Users mailing list archive at Nabble.com.
> >>> _______________________________________________
> >>> squid-users mailing list
> >>> squid-users at lists.squid-cache.org
> >>> http://lists.squid-cache.org/listinfo/squid-users [2]
> >>
> >>
> >>
> >> Links:
> >> ------
> >> [1]
> >>
> >> http://squid-web-proxy-cache.1019090.n4.nabble.com/ssl-bump-and-SNI-tp4670207p4671432.html
> >> [2] http://lists.squid-cache.org/listinfo/squid-users
> >>
> >> _______________________________________________
> >> squid-users mailing list
> >> squid-users at lists.squid-cache.org
> >> http://lists.squid-cache.org/listinfo/squid-users
> >
> >
> > Nathan,
> >
> > Care to post your config and external helper?  I know I'd love to see
> > concrete examples.  Thank you.
> >
> > James
> >
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users


Thank you Nathan.

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150601/d63b52bb/attachment.html>


More information about the squid-users mailing list