[squid-users] About SSL peek-n-splice/bump configurations

Mon Aug 13 00:57:01 UTC 2018

> -----Mensaje original-----
> De: Alex Rousskov <rousskov at measurement-factory.com>
> Enviado el: domingo, 12 de agosto de 2018 20:50
> Para: Julian Perconti <vh1988 at yahoo.com.ar>; squid-users at lists.squid-
> cache.org
> Asunto: Re: [squid-users] About SSL peek-n-splice/bump configurations
> 
> On 08/12/2018 04:09 PM, Julian Perconti wrote:
> 
> > I would like to know which of these two cfg's are "better" or "more secure"
> > when a site/domain is spliced, bumped, etc.
> 
> It is impossible to answer that question without knowing how _you_ define
> "better" or "more secure".

First of all: I am relative new in the "ssl/tls filtering world". There are many things I dont understand very well yet.

You might be right and I probably wrong. 

I tried to meant, "security" from the client-side accessing to a non-bumped or spliced site, i.g.: bank website... client-side "privacy" or an a -real- man-in-the-middle attack due to squid in the middle.

Is well-known that there is no system /network/o.s. 100% secure but, I dont know why, I always thought or stil think that with a https proxy/filtering, the security or "the things" tooggles more risky if this one did not exist. Even squid 100% correctly configured and server well secured.

> 
> 
> > acl noBumpSites ssl::server_name_regex -i "/etc/squid/url.nobump"
> 
> > # ssl_bump option 1: (with this I don't see the domain in "TUNNEL"
> > line, just the IP addr.)
> >
> > ssl_bump peek step1
> > ssl_bump peek step2 noBumpSites
> > ssl_bump splice step3 noBumpSites
> > ssl_bump stare step2
> > ssl_bump bump step3
> >
> > # ssl_bump option 2: (with this I see the domain in "TUNNEL" line.)
> >
> > ssl_bump peek step1
> > ssl_bump splice noBumpSites
> > ssl_bump bump all
> >
> >
> > And (if possible) could anyone explain the differnce between these 2 cfg's
> ?
> 
> Bugs notwithstanding, Option 1 looks at the TLS server Hello details
> (step2) before splicing or bumping the connections (at step3). Option 2 does
> not -- it splices or bumps based on TLS client Hello info only.
> 

What does squid when I dont specify the step?

For example:

What does squid do with..:
ssl_bump splice step3 noBumpSites

...And what it do instead with this?:
ssl_bump splice noBumpSites

> Option 1 should give Squid/you more information about the server when
> splicing the two connections. For example, you can use server certificate info
> during step3 and when logging.
> 
> Option 1 should give the client more information about the server when
> bumping the client -- the client will get a mimicked server certificate detail
> with this option.
> 
> I believe the information obtained at each step is documented at
> https://wiki.squid-cache.org/Features/SslPeekAndSplice

Yes, but many things are pretty complex to understand well, even making tests.

> 
> Please note that your
> 
>   ssl_bump splice step3 noBumpSites
> 
> is a bit risky because your noBumpSites may match differently on each step
> (as it gets more reliable information). It could match at step2 but not match
> at step3 or vice versa, but the decision to splice (or bump) is essentially made
> at step2 -- if you peeked at step2, then you should be splicing or terminating
> at step3 (and if you stared at step2, then you should be bumping or
> terminating at step3). Your rules may not follow that principle if noBumpSites
> matching changes.

I Will consider this. 

So, Would You prefer option 2? For now, I am testing that option.

>
> 
> > with Option 1 I don't see the domain in "TUNNEL" line, just the IP
> > addr.)
> 
> I doubt that is how it is supposed to work. When splicing, Option 1 should
> have the same or more information so it should log the domain name if
> Option 2 has the domain name. If you are comparing log lines for identical
> transactions, then this could be a Squid bug.
> 

I dont know, I just tell what happen in the access.log when I switching between these ssl_bump configs.

> Alex.

Thank You

P.S.: squid versión 4.2 on debian 9.5