[squid-users] SSL Peak and Splice

[Amos Jeffries]

On 14/05/2015 10:47 a.m., Casey Daniels - mailinglist wrote:
>> On May 13, 2015 at 3:25 AM Amos Jeffries <squid3 at treenet.co.nz> wrote:
>>
>>
>> On 13/05/2015 6:17 a.m., Casey Daniels wrote:
>>> Hi,
>>> I've been trying to figure out how to do some web filtering on HTTPs,
>>> with no really good options given the layout I have. But then I just
>>> happened to see this feature for Squid 3.5, and was wondering if I'm
>>> understanding it correctly.
>>>
>>> With the Peak and Splice feature, is it possible to run squid in a
>>> transparent mode for SSL, and check for certain host and either deny the
>>> connection all together or allow the connection without further
>>> interference from Squid? Would this be completely transparent without
>>> adding a trusted certificate from the proxy server to all user devices?
>>
>> Depends on how you define "host" and what the TLS ClientHello
>> information contains.
>>
>> If you define "host" in the official standard Internet terminology (a
>> single machine). Then no its not possible. NAT and "load balancing"
>> utterly destroyed the ability to determine if the host being spoken to
>> is the host indicated in the packets.
>> Case in point is your interceptor - a completely different host to the
>> one the client sees in its packets. Nothing stops other interceptors
>> existing upstream from you.
>>
>> If by "host" you actally meant FQDN or host *name*. It can be done when
>> and only when the TLS SNI information is made available by the client.
>>
>> Amos
>>
> 
> Yes the second option, not the particular machine, but the FQDN
> (i.e.<http://www.cooking.com> )


 # get TLS SNI details etc
 ssl_bump peek all

 # some get rejected
 acl blocked ssl:server_name .example.com
 ssl_bump reject blocked

 # the rest allowed without decrypting
 ssl_bump splice all


> When is the TLS SNI information made available by the client? 

They send it or they dont. Nothign you or we can do about it.

Amos