[squid-users] SSL bumping without faked server certificates

Alex Rousskov rousskov at measurement-factory.com
Tue Nov 10 15:49:10 UTC 2015


On 11/10/2015 07:05 AM, Stefan Kutzke wrote:

> My assumption is that I have to use in Squid's config:

> acl MYSITE ssl:server_name .mydomain.com
> ssl_bump bump MYSITE
> ssl_bump splice all

> This results in tunneling all https traffic, nothing will be bumped and
> cached. 

Yes, probably because MYSITE (ssl::server_name) often needs SNI and SNI
is not available during step1 when MYSITE is evaluated in your config.
In other words, your config is equivalent to

  ssl_bump splice all

unless reverse DNS works perfectly well.


> I'm a little bit confused about the documentation:

> Under the headline "Processing steps":
> *Step 2:*
>  1. Get TLS clientHello info, including *SNI* where available. 


> Under the headline "Actions":
> peek/stare Receive client *SNI (step1)*, ...


I know it is confusing, but I cannot find a better way to explain this
in brief documentation without pictures. Improvements are welcomed. The
key here is that ssl_bump rules are evaluated at the end of a step and
usually allow Squid to do something at the beginning of the next step.

For example, during step1, Squid does not have SNI. If a peek rule
matches during step1, then Squid proceeds to step2. At the beginning of
step2, Squid gets SNI. Thus, a step1 peek rule controls whether Squid
will get SNI (during step2).


> Is it possible to achieve my goal with Squid in transparent mode?

I should be possible, but I do not know whether anybody has done exactly
that so there could be some minor bugs along the way. You need
configuration suggested by Sebastian and the latest Squid you can build.


HTH,

Alex.



More information about the squid-users mailing list