[squid-users] 3.5.8 — SSL Bump questions

James Lay jlay at slave-tothe-box.net
Tue Sep 8 20:18:55 UTC 2015 

On 2015-09-08 01:54 PM, Alex Rousskov wrote:
> On 09/07/2015 11:36 PM, Dan Charlesworth wrote:
>> First, here’s my config (shout out to James Lay):
> 
>> acl client_hello_peeked at_step SslBump2
>> ssl_bump splice client_hello_peeked bump_bypass_domains
>> ssl_bump bump client_hello_peeked
> 
> Just in case somebody tries to copy this:
> 
> AFAICT, in Squid v3.5.8, the above config does not make sense. Since
> client_hello_peeked does not match during step1, no ssl_bump rules will
> patch during step1, and so the above is equivalent to:
> 
>   ssl_bump splice !all
>   ssl_bump bump !all
> 
> which, in turn, should be equivalent to:
> 
>   ssl_bump splice all
> 
> because "splice" is the default ssl_bump action unless Squid has been
> "staring". That, in turn, should be nearly equivalent to not using
> SslBump at all. There are some side effects related to the
> always-performed SslBump step1 actions that you may observe, but I 
> doubt
> you were after those side effects.
> 
> Alex.
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

I recall that in testing something similar was proposed, but it did not 
function as intended, but that was....gosh I'm not sure how many revs 
back.  I'm currently having great success with 3.5.8 and this 
peek/splice only method using transparent intercept:

###############################
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

ssl_bump peek step1 all
ssl_bump peek step2 all
acl allowed_https_sites ssl::server_name_regex 
"/opt/etc/squid/http_url.txt"
ssl_bump splice step3 allowed_https_sites
ssl_bump terminate all
###############################

I didn't really have a reason to actually bump and decrypt, just to 
allow/disallow.  I still see peek only 
(http://bugs.squid-cache.org/show_bug.cgi?id=4256) in the logs for both 
successfully spliced and terminated sessions, but eh...I know it's 
working otherwise I'd have unhappy children :D

James

More information about the squid-users mailing list