[squid-users] About SSL peek-n-splice/bump configurations

Alex Rousskov rousskov at measurement-factory.com
Mon Sep 10 19:46:33 UTC 2018

On 09/10/2018 12:35 PM, Julian Perconti wrote:

> So, in a brief the confi is:
> ssl_bump peek step1 all
> ssl_bump peek step2 noBumpSites
> ssl_bump stare step2 all

... which should be equivalent to an even simpler config:

  ssl_bump peek step1
  ssl_bump peek noBumpSites
  ssl_bump stare all

... which, for many reasonable definitions of noBumpSites (that match
during step1 if and only if they should match during step1), can be
simplified even further:

  ssl_bump peek noBumpSites
  ssl_bump stare all

However, please note that the three configs above implicitly rely on
Squid splicing (or bumping) at step3 because of the previously matching
step2 peek (or stare) action and the lack of an explicit step3 rule.
Whether Squid v4.2 actually does what it should be doing, I do not know.

> 1: Is this peek-n-splice ruleset insecure?

Define "secure".

> 2: It is correct to say that those lines are not necessary/redundant?

They should be redundant, but I do not know whether Squid v4.2
implements this aspect of the specs correctly. I know that there were
related implementation bugs in some Squid v3 releases. You can test and,
if needed, file a bug report.

> (#ssl_bump splice step3 noBumpSites/#ssl_bump bump step3 all)

Please note that the meaning of your noBumpSites ACL changes from one
step to another (because it gets more/different info). Thus, it is
incorrect to say that

  ssl_bump peek step1
  ssl_bump peek step2 noBumpSites
  ssl_bump splice step3 noBumpSites

is always exactly equivalent to

  ssl_bump peek step1
  ssl_bump peek step2 noBumpSites
  ssl_bump splice step3 all # should be optional

When using the first configuration, it is possible that, in some
specific case, noBumpSites matches during step2 but does not match
during step3, and Squid proceeds to evaluating the remaining "..." rules
in that specific case. Such sequence of events is not possible in the
second configuration because splicing at step3 is unconditional there --
it does not rely on noBumpSites matches during step3.



More information about the squid-users mailing list