[squid-users] about sni
Amos Jeffries
squid3 at treenet.co.nz
Tue Feb 16 01:13:14 UTC 2016
On 16/02/2016 12:46 p.m., HackXBack wrote:
> What are the requirements for ssl::server_name to work with SNI (squid
> 3.5.12) ?
>
> In principle, I want to do this (from squid.conf):
> ....
> # get the public TLS metadata (includes SNI)
> ssl_bump peek all
>
This will peek at both step 1 and 2.
> # block based on SNI matching
> acl blocked ssl::server_name .example.com
> ssl_bump terminate blocked
>
This is only reached at step 3. Which means it will happen based on
server cert matchign (*NOT SNI*). Also, terminate seems to require
similar operations to bump, so after the step 2 peek it may not work
reliably.
> # tunnel (no decrypting) for everything else
> ssl_bump splice all
> .....
>
> Few questions regarding the pre-requisites for this to work:
> - It should not be necessary to install squids cert in the client, correct ?
Correct. SNI has nothing to do with whether the client trusts *Squids*
certificate.
> - squid.conf: Anything missing in next line (cert for squid ) ?
> http_port 3129 intercept ssl-bump
The cert= settings are still required here, that is just to get ssl-bump
operating.
> - Anything else required ?
>
* The client is required to send SNI.
* Squid peek or stare action is required to be configured at step 1 of
ssl_bump processing.
That is all.
Amos
More information about the squid-users
mailing list