[squid-users] question about ssl_bump
Alex Rousskov
rousskov at measurement-factory.com
Thu Mar 10 03:17:48 UTC 2016
On 03/09/2016 08:00 PM, Alex Samad wrote:
> from http://wiki.squid-cache.org/Features/SslPeekAndSplice
>
> # Better safe than sorry:
> # Terminate all strange connections.
> ssl_bump splice serverIsBank
> ssl_bump bump haveServerName
> ssl_bump peek all
> ssl_bump terminate all
>
> I am not sure how haveServerName is constructed
It is up to the Squid admin.
> I read this as
> 1) splice the connection if it meets ACL serverIsBank
Yes. I would replace "if" with "as soon as", to be slightly more precise.
> 2) bump the connection (MTM) if acl haveServerName is meet
Yes. I would replace "if" with "as soon as", to be slightly more precise.
> 3) try and peek the ssl connection . which I understands is start MTM
There is no "try" here. Bugs/problems notwithstanding, "peek" always
succeeds. Roughly speaking, this non-final action receives either SSL
client or SSL server information (depending on the SslBump step) without
changing any bytes on the wire. The "MTM" tern is too vague/overloaded
to use in this specific context, but you can think of peeking as a
"passive MitM" if it helps).
Please note that the peek action can only match during the first two
SslBump steps. It is ignored during the third step.
> whilst keeping the ability to splice. I presume this means look at the
> client cert and the server cert ? so you get more info.... But this
> doesn't stop the process ?
Yes, when peek ACL matches, Squid moves to the next SslBump step.
> 4) terminate all that get here. again nothing stops at #3 it just
> gathers more info ?
Yes. To quote the same page you are citing: "All actions except peek and
stare correspond to final decisions: Once an ssl_bump directive with a
final action matches, no further ssl_bump evaluations will take place,
regardless of the current processing step."
HTH,
Alex.
More information about the squid-users
mailing list