[squid-users] ALPN, HTTP/2 and sslbump

[senor]

Thanks Amos. I guess I was assuming that squid was just copying the ALPN 
extension info from Client Hello without regard to capabilities (squid 
3.5.26). I'll take another stab at the debug info and post more details 
if that doesn't pop something up.


Senor


On 11/7/2017 20:29, Amos Jeffries wrote:
> On 08/11/17 17:15, senor wrote:
>> I am surprised that I didn't find this question asked and answered
>> recently. Maybe this issue is newer than I realize.
>>
>> I understand that support of HTTPS/2 is in development but I'd like to
>> better understand what is and is not currently supported. I discovered
>> the other day that an intercepted client https connection, which
>> included both h2 and http/1.1 in the ALPN extension, was tunneled when
>> the server responded with only h2. I'm assuming that was due to squid
>> not fully supporting HTTP/2.
>
> Hmm. If you are using SSL-Bump to bump the traffic the current Squid 
> should be delivering an ALPN containing only HTTP/1.1 to the server. 
> Sending h2 in the ALPN is only valid if the proxy supports h2 natively 
> or intends up front to splice the transaction back to "tunneled".
>
>
>>
>> My initial need is to prevent the tunnel. Preferably by forcing http/1.1
>> and bumping but just denying the connection is second best. I'm not
>> aware of any squid built-in mechanisms to manage ALPN or HTTP/2 so I'm
>> thinking the external_acl is the only way to go. I think the client ALPN
>> data is available at bump step 2 but what options do I have at that 
>> point?
>>
>> Help or corrections to my assumptions are appreciated.
>>
>
> Any info about your Squid version, and squid.conf contents - 
> especially http_access and SSL-Bump related things would be useful. 
> Random guesses about complex things like TLS are harmful to solving 
> actual problems.
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users