[squid-users] Server-first SSL bump in Squid 3.5.x
Dan Charlesworth
dan at getbusi.com
Thu Mar 19 06:41:56 UTC 2015
Right, I see.
So I’ve got a special ACL to always allow that Test URL for the sake of our certcheck … but it’s doing it by dstdomain. So if there are rules to say “always redirect to the certificate splash page if you can’t connect to the URL”, then it will never pass it because the initial CONNECT step can never match a dstdomain and will always be DENIED.
So what I really need to do is change that test URL’s ACL to be a dst instead (and find a URL that isn’t going to resolve to different IPs over time). Okay.
While we’re at it, is there a Peek & Splice "equivalent" of the config I posted before?
Kind regards
Dan
> On 19 Mar 2015, at 5:18 pm, Amos Jeffries <squid3 at treenet.co.nz> wrote:
>
> On 19/03/2015 6:36 p.m., Dan Charlesworth wrote:
>> Hey y’all
>>
>> Finally got 3.5.2 running. I was under the impression that using server-first SSL bump would still be compatible, despite all the Peek & Splice changes, but apparently not. Hopefully someone can explain what might be going wrong here ...
>>
>
> Sadly "being compatible" with an broken design does not mean "working".
> server-first only works nicely if the client, Squid, and server are
> operating with the same TLS features - which is uncommon.
>
>
>> Using the same SSL Bump config that we used for 3.4, we now seeing this happen:
>> 19/Mar/2015-16:21:32 22 d4:f4:6f:71:90:e6 10.0.1.71 TCP_DENIED 200 0 CONNECT 94.31.29.230:443 - server-first - HIER_NONE/- - -
>>
>
> The CONNECT request in the clear-text HTTP layer is now subject to
> access controls before any bumping takes place. Earlier Squid would let
> the CONNECT through if you were bumping, even if it would have been
> blocked by your access controls normally.
>
> This is unrelated to server-first or any other ssl_bump action.
>
>> Instead of this:
>> 19/Mar/2015-14:42:04 736 d4:f4:6f:71:90:e6 10.0.1.71 TCP_MISS 200 96913 GET https://code.jquery.com/jquery-1.11.0.min.js - server-first Mozilla/5.0%20(iPhone;%20CPU%20iPhone%20OS%208_2%20like%20Mac%20OS%20X)%20AppleWebKit/600.1.4%20(KHTML,%20like%20Gecko)%20Mobile/12D508 ORIGINAL_DST/94.31.29.53 application/x-javascript -
>>
>
> That is a different HTTP message from inside the encryption.
>
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list