[squid-users] ssl_bump and SNI

Amos Jeffries squid3 at treenet.co.nz
Thu Jun 4 10:26:51 UTC 2015


On 4/06/2015 6:29 p.m., sp_ wrote:
>  Hello Amos,
> 
> thank you for your reply.
> 
> Let's take for instance this line:
> 
> 192.168.78.31 - - [04/Jun/2015:09:41:22 +0300] "CONNECT 173.194.122.233:443 HTTP/1.1" 200 0 "-" "-" TCP_DENIED:HIER_NONE
> 
> 
> I have dumped the traffic passing through the interface on the router during this request.
> In client hello in Extension "server_name" I can see the domain:
> 
> Server Name: clients4.google.com

In your packet trace look at the details in the TCP SYN packet *only* to
see what the Squid CONNECT has available.

> 
> 
> According to RFC, domain is a must in Client Hello, when SNI is used.

Yes. But the ClientHello is not part of a TCP SYN packet - which is what
Squid is working with when it does that fake CONNECT message processing.

The TLS packets have explicitly not been read into Squid yet in case
splice, none, or terminate actions are to be done by the ssl_bump step1
rules.


If the bumping is successful there will be other requests from inside
the TLS that get logged with the domain etc.

For now Squid does not log any of the SSL-bumping process itself. There
is an open bug about that now.

Amos



More information about the squid-users mailing list