[squid-users] SSL Bump missing facebook app traffic (resumed SSL sessions?)

Mon May 9 10:05:43 UTC 2016

Hi there,

We¹re running squid with SSL bump as a transparent proxy in order to
control access to particular SSL sites.

We¹ve noticed an issue with access to facebook from within the facebook
app -- specifically it can get through the proxy even though it is *not*
listed as a domain to splice. Accessing the facebook site from a web
browser is blocked as expected.

Looking at packets in Wireshark, the app traffic that gets through seems
to use a different style of SSL handshake from the web traffic as follows:

App traffic:
> client hello
< server hello, change cipher spec
  - change cipher spec message: this session reuses previously negotiated
keys (session resumption)
< encrypted handshake message
> change cipher spec, encrypted handshake message, application data
> application data

Web traffic:
> client hello
< server hello
< certificate
< server key exchange
> client key exchange
> change cipher spec
> encryped handshake message
< new session ticket, change cipher spec, encrypted handshake message
> application data

I suspect this may be the same or a similar issue referred to in the
3.5.19 release changes (TLS: Fix SSL alert message and session resume
handling) -- would someone please confirm or deny?

And if we were to upgrade to 3.5.19, is the build on Centos 6 a relatively
easy one? We¹ve been using Eliezer Croitoru¹s builds so far, but I don¹t
think he¹s had time to make the latest build yet!

For reference, the relevant parts of our squid configuration are as
follows:

https_port {squid-ip}:443 cert=/path/to/cert key=/path/to/key
sslflags=NO_DEFAULT_CA intercept ssl-bump
acl to_teads_tv_ssl ssl::server_name .teads.tv
ssl_bump splice to_teads_tv_ssl

acl hello at_step SslBump1 SslBump2
ssl_bump peek hello
ssl_bump terminate all

Thank you for your help!

Adam

Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of Sky plc and Sky International AG and are used under licence. Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) are direct or indirect subsidiaries of Sky plc (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD.