[squid-users] Server-first SSL bump in Squid 3.5.x

[Amos Jeffries]

On 19/03/2015 6:36 p.m., Dan Charlesworth wrote:
> Hey y’all
> 
> Finally got 3.5.2 running. I was under the impression that using server-first SSL bump would still be compatible, despite all the Peek & Splice changes, but apparently not. Hopefully someone can explain what might be going wrong here ...
> 

Sadly "being compatible" with an broken design does not mean "working".
server-first only works nicely if the client, Squid, and server are
operating with the same TLS features - which is uncommon.


> Using the same SSL Bump config that we used for 3.4, we now seeing this happen:
> 19/Mar/2015-16:21:32     22 d4:f4:6f:71:90:e6 10.0.1.71 TCP_DENIED 200 0 CONNECT 94.31.29.230:443 - server-first - HIER_NONE/- - -
> 

The CONNECT request in the clear-text HTTP layer is now subject to
access controls before any bumping takes place. Earlier Squid would let
the CONNECT through if you were bumping, even if it would have been
blocked by your access controls normally.

This is unrelated to server-first or any other ssl_bump action.

> Instead of this:
> 19/Mar/2015-14:42:04    736 d4:f4:6f:71:90:e6 10.0.1.71 TCP_MISS 200 96913 GET https://code.jquery.com/jquery-1.11.0.min.js - server-first Mozilla/5.0%20(iPhone;%20CPU%20iPhone%20OS%208_2%20like%20Mac%20OS%20X)%20AppleWebKit/600.1.4%20(KHTML,%20like%20Gecko)%20Mobile/12D508 ORIGINAL_DST/94.31.29.53 application/x-javascript -
> 

That is a different HTTP message from inside the encryption.


Amos