[squid-users] sslBump adventures in enterprise production environment

Sun Nov 15 20:00:52 UTC 2015

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 

16.11.15 1:39, Alex Rousskov пишет:
> On 11/15/2015 12:03 PM, Eugene M. Zheganin wrote:
>> It's not even a HTTPS, its a tunneled HTTP CONNECT. But
>> squid for some reason thinks there shoudl be a HTTPS inside.
>
>
> Hello Eugene,
>
>     Squid currently supports two kinds of CONNECT tunnels:
>
> 1. A regular opaque tunnel, as intended by HTTP specifications.
>
> 2. An inspected tunnel containing SSL/TLS-encrypted HTTP traffic.
>
> Opaque tunnels are the default. Optional SslBump-related features allow
> the admin to designate admin-selected CONNECT tunnels for HTTPS
> inspections (of various depth). This distinction explains why and when
> Squid expects "HTTPS inside".
>
> There is currently no decent support for inspecting CONNECT tunnels
> other than SSL/TLS-encrypted HTTP (i.e., HTTPS) tunnels.
>
> Splicing a tunnel at SslBump step1 converts a to-be-inspected tunnel
> into an opaque tunnel before inspection starts.
>
> The recently added on_unsupported_protocol directive can automatically
> convert being-inspected non-HTTPS tunnels into opaque ones in some
> common cases, but it needs more work to cover more cases.
>
>
> AFAICT, you assume that "splicing" turns off all tunnel inspection. This
> is correct for step1 (as I mentioned above). This is not correct for
> other steps because they happen after some inspection already took
> place. Inspection errors that on_unsupported_protocol cannot yet handle,
> may result in connection termination and other problems.
>
>
> If Squid behavior contradicts some of the above rules, it is probably a
> bug we should fix. Otherwise, it is likely to be a missing feature.
>
>
> Finally, if Squid kills your ICQ (non-HTTPS) client tunnels, you need to
> figure out whether those connections are inspected (i.e., go beyond
> SslBump step1). If they are inspected, then this is not a Squid bug but
> a misconfiguration (unless the ACL code itself is buggy!). If they are
> not inspected, then it is probably a Squid bug. I do not have enough
> information to distinguish between those cases, but I hope that others
> on the mailing list can guide you towards a resolution given the above
> information.
I do not think it's killing them. It looks like an outgoing connection
goes to the server, and then silence - of the reaction in the log is not
there. Client hangs waiting for a response from server.
>
>
> HTH,
>
> Alex.
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWSOR0AAoJENNXIZxhPexGeMYH/jWi9I1CtBwzSUbDiwp4kjvy
wqvJ63lT/l11t4cgBPOjrSVvLbtt5OJY6C+4Z6xkFZX4PgUKnLu6zaIVH1Dg9LrN
2WjgAL/Tks/d4mLKDIM/0LzlIDaJprigjCcWWngRVJRVivkgI5Fz4VxqDThP+qCc
n6oL1XUE9qjrpbat+N2/0FlOG4/w5koLObxY8vYVWjcEAiHMcChIgoDR/ijQ3qen
ZDRmE7uw8aOi7Fa1+M0TJUOLo8fF3EzPQI9Q5Xvfq4orn2lhn3LVXJCFho3s1qpa
8AxeGqmYs4+te5L9gOvuF0Y5RPzo71TOIA9hHz0loHAGPye2D1Uygi7gJYp87zo=
=FMhF
-----END PGP SIGNATURE-----