[squid-users] SSL Peek-n-Splice and exclusions by SNI

Nathan Hoad nathan at getoffmalawn.com
Mon Mar 9 07:16:18 UTC 2015 

Hi Amos,

After digging through debug logs, I noticed this:

2015/03/09 14:40:12.467 | client_side.cc(2902)
concurrentRequestQueueFilled: local=74.125.23.95:443
remote=10.3.20.249:40083 FD 11 flags=33 max concurrent requests
reached (1)
2015/03/09 14:40:12.467 | client_side.cc(2903)
concurrentRequestQueueFilled: local=74.125.23.95:443
remote=10.3.20.249:40083 FD 11 flags=33 deferring new request until
one is done
2015/03/09 14:40:12.467 | client_side.cc(4365)
httpsSslBumpStep2AccessCheckDone: Failed to start fake CONNECT request
for ssl spliced connection: local=74.125.23.95:443
remote=10.3.20.249:40083 FD 11 flags=33

Which sparked my memory about a patch that Christos has for 3.5.3:
http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13766.patch

After applying this patch and rebuilding, everything works now, so
that's good. I tried using dstdomain as opposed to an external ACL and
it did not work - I suspect this is because dstdomain doesn't cover
the SNI server name, but it should be fine with Christos' server_name
ACL patch I would expect. If I get time I might try applying that to
3.5.x to see if it covers my use case, but for the time being I'll
stick with the external ACL helper.

Cheers,

Nathan.

On 9 March 2015 at 16:06, Amos Jeffries <squid3 at treenet.co.nz> wrote:
> On 9/03/2015 5:52 p.m., Nathan Hoad wrote:
>> Hi folks,
>>
>> I'm playing with 3.5.2 and Peek-n-Splice, I was wondering if it's
>> actually possible to exclude requests based on the SNI host and have
>> Squid still bump correcty.
>
> It is supposed to work, but there have been troubles. So YMMV.
>
>> I've been trying with this configuration,
>> using a simple external acl:
>>
>> https_port 60443 intercept ssl-bump cert=/path/to/inspectcert.pem
>> key=/path/to/inspectkey.pem generate-host-certificates=on
>> external_acl_type sni ttl=30 concurrency=60 children-max=3
>> children-startup=1 %ssl::>sni /usr/libexec/bumphelper
>>
>> acl step1 at_step SslBump1
>> acl step2 at_step SslBump2
>> acl step3 at_step SslBump3
>>
>> acl sslbump_exclusions external sni
>>
>> ssl_bump peek step1 all
>> ssl_bump splice step2 sslbump_exclusions
> <snip>
>
>>
>> So what am I missing? It's very hard to find documentation about this,
>> so I might put this up on the wiki as an example once it's sorted.
>
> The big issue here is ssl_bump being a fast-type access check. external
> ACL helpers do not work reliably.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list