[squid-users] ssl_bump for specific dstdomain

Amos Jeffries squid3 at treenet.co.nz
Fri Mar 13 09:04:07 UTC 2015

On 13/03/2015 6:39 p.m., Yuri Voinov wrote:
> 13.03.15 2:37, Mukul Gandhi пишет:
>> On Thu, Mar 12, 2015 at 11:04 AM, Yuri Voinov <yvoinov at gmail.com> 
>> wrote:
>> You only have external helper (which is must wrote yourself) in 
>> 3.4.x.
>>> Are there any examples that I can look at to implemented this 
>>> external helper for doing selective ssl_bumps. And what would 
>>> this helper script do anyways? All we have is the destination IP 
>>> address which is not really going to give us the actual HTTP 
>>> hostname.
> Yes and no. There is one third-party helper in list archives, written
> on python. No one of this including in squid distribution.
>> Works with domains in ssl bump fully available at least 3.5.x
>>> Does the 3.5.x implementation decrypt the whole payload and then 
>>> do the ssl_bump? The "peek" option seems to imply that only the 
>>> HTTP headers are peeked at.
> Of course. As by 3.4.x. The difference is only with mechanisms.

And no at the same time. HTTP message headers inside the encryption are
encrypted and unavailable until after the decryption is decided (bumped).

What gets peeked at is the TLS ClientHello and TLS ServerHello details.
SNI may become available by peeking when raw-IP was all that was in the
HTTP CONNECT message or intercepted TCP packets.

You can then use those non-private TLS details to decide between reject,
splice (pass-thru) or bump (decrypt) for the encrypted HTTPS data.

>>> I guess what I am asking is, is there any way we can do this 
>>> without actually decrypting the payload?
> 3.5.x peek-and-splise functionality do bump splitted by stages.
> Against 3.4.x, which is makes bump in one stage.


More information about the squid-users mailing list