[squid-users] Squid "bumping" traffic despite using "splice" directive
rousskov at measurement-factory.com
Thu Nov 12 19:12:58 UTC 2015
On 11/12/2015 11:31 AM, Tom Mowbray wrote:
> We're seeing some strange behavior where certain sites, especially those
> hosted by Google, including youtube.com <http://youtube.com>, where the
> HTTPS traffic is being "bumped" and users are getting certificate errors
> with our self-signed certificate and CA appearing in the certificate
Can you tell what Squid is sending on some of those bumped connections?
Could it be an error message? What does access.log say?
> What is strange is that we have the squid.conf set to either "splice" or
> "terminate" all HTTPS traffic. There is NO traffic that is supposed to
> be bumped at all (because we are not able to load our CA cert on all
> client machines).
> Here is the significant portion of our squid.conf:
> acl sslallow ssl::server_name "/path/to/file"
> ssl_bump peek all
> ssl_bump splice sslallow
> ssl_bump terminate all
> Most of the sites in acl sslallow work as expected...but some sites come
> back with a certificate error as described above, suggesting that they
> were "bumped" using our mimicked certificate. This behavior also isn't
> 100% reproducible...sometimes it works as expected, though it usually
> does not.
Do you tell Squid to splice on all SSL validation errors and when seeing
non-SSL traffic on expecting-SSL connections? If yes, then this is most
likely a Squid bug. Otherwise, perhaps Squid is trying to inform users
of an error? Triage is needed to understand why Squid is bumping.
There is also a possibly related bug 4321, but it should not affect
steps 2 and 3 where you terminate connections:
> Another note: Seems to happen mainly on mobile browsers and on Chrome
> browser running on Google Chromebooks.
> Is there something I'm missing? Is there a way to ensure that NO sites
> are being bumped at all?
Yes, there are (or should be) three ways:
1. Do not use SslBump at all.
2. Use "ssl_bump splice all" rule and no other ssl_bump rule.
3. Do not use any "ssl_bump bump" and "ssl_bump stare" rules while
allowing all SSL errors and non-SSL traffic.
#1 is known to work. Others may or may not work, depending on your Squid
version, yet-unknown Squid bugs, and other specifics.
> (For our deployment, we'd rather terminate
> than bump if splicing isn't possible).
Your ssl_bump rules reflect your intent. However, when you use "ssl_bump
peek all", Squid has to validate SSL clients and servers (to various
degrees). Other Squid directives tell Squid what to do when that
validation fails. The ones I remember are on_unsupported_protocol and
sslproxy_cert_error. Do you configure those directives to ignore all
errors (and, hence, let users deal with them, including abusing them for
tunnelling anything through your Squid)?
More information about the squid-users