[squid-users] SSL Peak and Splice

Casey Daniels mailinglist at cd.kcfam.net
Thu May 14 23:15:48 UTC 2015



On 05/14/2015 12:37 AM, Amos Jeffries wrote:
>> Yes the second option, not the particular machine, but the FQDN
>> (i.e.<http://www.cooking.com> )
>
>   # get TLS SNI details etc
>   ssl_bump peek all
>
>   # some get rejected
>   acl blocked ssl:server_name .example.com
>   ssl_bump reject blocked
>
>   # the rest allowed without decrypting
>   ssl_bump splice all
>
>
>> When is the TLS SNI information made available by the client?
> They send it or they dont. Nothign you or we can do about it.
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

One Follow up question.

You said "They send it or they don't. Nothing you or we can do about 
it." Are you referring to that we don't have control if they send it or 
not, or there is nothing we can do if they don't?

My question is, is there some way to either reject the conection, or do 
a full SSL bump the connection for further examnation if the TLS SNI 
information isn't present?  From my understanding all modern browsers 
should be sending the TLS SNI information, and the SSL fallback has been 
disabled by default on them except for Windows IE.  So blocking 
connections that fail to give TLS SNI information doesn't appear to be a 
problem except for people using outdated devices.

Casey




More information about the squid-users mailing list