[squid-users] SSL Bump missing facebook app traffic (resumed SSL sessions?)

Amos Jeffries squid3 at treenet.co.nz
Tue May 10 12:41:30 UTC 2016 

On 9/05/2016 10:05 p.m., Cohen-Rose, Adam wrote:
> Hi there,
> 
> We¹re running squid with SSL bump as a transparent proxy in order to
> control access to particular SSL sites.
> 
> We¹ve noticed an issue with access to facebook from within the facebook
> app -- specifically it can get through the proxy even though it is *not*
> listed as a domain to splice. Accessing the facebook site from a web
> browser is blocked as expected.
> 
> Looking at packets in Wireshark, the app traffic that gets through seems
> to use a different style of SSL handshake from the web traffic as follows:
> 
> App traffic:
>> client hello
> < server hello, change cipher spec
>   - change cipher spec message: this session reuses previously negotiated
> keys (session resumption)
> < encrypted handshake message
>> change cipher spec, encrypted handshake message, application data
>> application data
> 
> 
> Web traffic:
>> client hello
> < server hello
> < certificate
> < server key exchange
>> client key exchange
>> change cipher spec
>> encryped handshake message
> < new session ticket, change cipher spec, encrypted handshake message
>> application data
> 
> 
> 
> I suspect this may be the same or a similar issue referred to in the
> 3.5.19 release changes (TLS: Fix SSL alert message and session resume
> handling) -- would someone please confirm or deny?
> 

Not sure enough to answer that Q sorry. But if you are bumping at all
you should upgrade anyway. The problem(s) that it fixes are relatively
common even if they are not the specific one you noticed.


> And if we were to upgrade to 3.5.19, is the build on Centos 6 a relatively
> easy one? We¹ve been using Eliezer Croitoru¹s builds so far, but I don¹t
> think he¹s had time to make the latest build yet!

He should be doing it real soon now, if not already done and just
testing to make sure it works okay.

> 
> For reference, the relevant parts of our squid configuration are as
> follows:
> 
> https_port {squid-ip}:443 cert=/path/to/cert key=/path/to/key
> sslflags=NO_DEFAULT_CA intercept ssl-bump

FYI: "intercept ssl-bump" should be the first options on the line after
the port. It doesn't matter in 3.x, but will in the future versions as
the mode determines how the following cert/key options are interpreted
and ssl-bump determines what type of properties the cert requires.

Amos

More information about the squid-users mailing list