[squid-users] Squid 3.5.19 how to find banking server name for no bump
squid3 at treenet.co.nz
Wed Jun 29 02:33:03 UTC 2016
On 29/06/2016 11:47 a.m., Stanford Prescott wrote:
> When I enter .wellsfargo.com in
> *acl tls_s1_connect at_step SslBump1*
> *acl tls_s2_client_hello at_step SslBump2*
> *acl tls_s3_server_hello at_step SslBump3*
> *acl tls_server_name_is_ip ssl::server_name_regex
> *acl tls_allowed_hsts ssl::server_name .akamaihd.net <http://akamaihd.net>*
> *acl tls_server_is_bank ssl::server_name .wellsfargo.com
> *acl tls_to_splice any-of tls_allowed_hsts tls_server_is_bank*
> *ssl_bump peek tls_s1_connect all*
> *ssl_bump splice tls_s2_client_hello tls_to_splice*
> *ssl_bump stare tls_s2_client_hello all*
> *ssl_bump bump tls_s3_server_hello all*
> it appears that the banking site is still getting bumped i.e.like in this
> access.log snippet
Most of the log entries have a) a raw-IP and no SNI, b) a non-wellsfargo
domain name [Google advertising].
All uses of CONNECT *.wellsfargo.com I have spotted in there also have a
"TCP_TUNNEL" tag - which means splice was done in accordance with your
For example; To follow one client:
Initial raw-TCP connection handling (TAG_NONE). No SNI available yet ...
> *1467156900.838 5423 10.40.40.100 TAG_NONE/200 0 CONNECT
> 22.214.171.124:443 <http://126.96.36.199:443> - HIER_NONE/- -*
... begin step-1 processing ...
[ Matches: ssl_bump peek tls_s1_connect all ]
[ Note that the wellsfargo ACL is not even reached at this stage. ]
[ If it did the string "188.8.131.52" != "*.wellsfargo.com" anyway ]
... which says to get the clientHello and SNI (if any) ...
> *1467156900.838 5088 10.40.40.100 TCP_TUNNEL/200 4631 CONNECT
> www.wellsfargo.com:443 <http://www.wellsfargo.com:443> -
> ORIGINAL_DST/184.108.40.206 <http://220.127.116.11> -*
... begin step 2 processing. SNI available ...
[ The string "www.wellsfargo.com" ~= "*.wellsfargo.com" ]
[ Matches: ssl_bump splice tls_s2_client_hello tls_to_splice ]
... connection spliced (TCP_TUNNEL).
> If I disable sslbumping then the bank site does not get bumped, of course.
> 1467157349.321 230 10.40.40.100 TCP_MISS/301 243 GET
> http://wellsfargo.com/ - ORIGINAL_DST/18.104.22.168 -
That is http://, not HTTPS. ssl_bump has no relevance for plain-text
The same thing would be done for that request regardless of what your
ssl_bump settings are.
More information about the squid-users