[squid-users] About SSL peek-n-splice/bump configurations

Julian Perconti vh1988 at yahoo.com.ar
Thu Sep 13 03:02:56 UTC 2018 

> I am afraid you do not. You are probably missing the fact that, at each step,
> the rules after the matching applicable rule are not checked.
> Also, you seem to insert some implicit peeking rules that are never there.
> Finally, there may be some confusion regarding how multiple ACLs on one
> line are evaluated (and/or you do not think that stepN is just an ACL?).

You're right, it's just and ACL like any other. Maybe I lost sight of that point.

> Details below.

I will keep trying to understand the best I can.

> > ssl_bump peek step1
> > ssl_bump peek noBumpSites
> > ssl_bump stare all
> 
> 
> >>   ssl_bump peek step1  # implicit "all" at step1
> 
> Yes, if you wish to think about it that way. In reality, the condition
> is exactly "step1", rather than "step1 and all" or "step1 and true".
> 
> 
> >>   ssl_bump peek noBumpSites # As there no step specified, squid match
> at any step
> 
> Not exactly. Squid will evaluate this rule at any step that (a) reaches
> this line and (b) where the peek action is applicable. The intersection
> of those two preconditions is "step2" rather than "any step".

Ok, say that the most (not to say the *only*) important beyond any step or action is the *secuential order -line_by_line-* of the rules (steps) .

Example:

  ssl_bump splice noBumpSites # this will be totally ignored by Squid if a stare rule precedes this.

i.e.:

  ssl_bump stare noBumpSites # No matter what, here is the Squid first match and he is at step1...
  ssl_bump splice noBumpSites # ...Therefore here Squid is at step2, then this line will never match, even not having specified the step in both lines, because "noBumpSites" was already stared at first line.

Well, I am not really sure about the above example (Maybe I choosen the worst).. if I a read what the Actions do at wiki, appears doubts in mind, it's just an example about how implicit steps works.

Anyway, as an excercise I guess that in this example what Squid will do is a final "splice noBumpSites" at step2, because stare action always match at step1 (and at wiki, peek/stare description are the same)

I can not realize right now about what will happen at step3 or SslBump3.. guess that there will never be a bump, not sure.
*BUT* if in case that an implicit stare occurs at step2 due to first line, then squid will bump the "noBumpSites" and never-match/ignore the second line completely.

> > then this line, match at step1

"This line" was ssl_bump peek noBumpSites

> No, this line will not be evaluated at step1. Only the first rule is
> evaluated at step1 (because that first rule always matches at step1).
> 
> 
> > and then at step2, so when a match occurs at step2 it precludes future
> bumping of the sites listed in the ACL.
> 
> Yes, but that is kind of irrelevant here because there are no bump rules
> to exclude. At step3, this previous/step2 peeking should result in Squid
> applying the default "splice" rule (you can view that as excluding the
> default "bump" rule if you wish).

Yes, that's the idea, default/implicit bump all, except the "noBumpSites", but maybe is not the best way to do that.

> >> ssl_bump stare all # Here there is either no step2 (and any step)
> >> specified but, because in the previous line You has (implicitly)
> >> peeked at step2, the stare'ing not (or canĀ“t) applies to sites
> >> listed in ACL (they were peeked at step2).
> 
> Something like that. Step2 always happens in this configuration (so "no
> step2" does not make sense), and there is no such thing as "implicit
> peeking", but I think you more-or-less got the right idea here.

I didn't know that no exists "implicit peeking" as you said above. Instead, I always thought that peeking was mandatory.
Resume: Implicit splice and bump exists aalways exists. Implicit peek, no. Is this correct?

See my doubt at the end...and conclusion.

> >> ssl_bump peek noBumpSites # Like previous example, but..I guess
> >> that as there is no "all" explicit, this line do a "peek all at
> >> step1" (implicitly)
> 
> No, this line does not do "peek all". It does "peek noBumpSites". That
> is, it tells Squid to peek when and only when both of the conditions
> below are true:
> 
> (a) the peeking action is applicable (i.e., step1 or step2)
> (b) the noBumpSites ACL matches
> 
> The two conditions above are evaluated in the specified order. Condition
> (b) is not evaluated unless condition (a) is satisfied.

Another important point to keep in mind what your are telling above.

> > To clarify, if I would add an "all" at the end of this line, then all traffic would
> be spliced.
> 
> Adding "all" to any line changes nothing as far as line matching is
> considered. The value of "foo and true" is equivalent to the value of "foo".

So the word "all" makes sense if its is "alone"? Or not even like that?
e.g.: ssl_bump peek step1 all = ssl_bump peek step1, *always*?

> I am not sure I interpret your definition correctly, but I hope the
> following statements will answer your question regardless of that
> interpretation:
> 
> * Staring (at step2) or bumping (at any step) alters TLS bytes on the
> wire. The client and the origin server will see some TLS bytes that are
> going to differ from the TLS bytes they would have seen if Squid was not
> there.
> 
> * In this scope, the deprecated client-first and server-first actions
> are equivalent to applying the "bump" action.
> 
> * If successful, ssl_bump peek and splice actions do not alter TLS
> bytes. Peeking and/or splicing Squid can be viewed as a TCP proxy as far
> as TLS bytes forwarding is concerned. The client and the origin server
> will see the same TLS bytes they would have seen if Squid was not there.
> 
> * In this scope, various errors are usually equivalent to applying the
> "bump" action.
 
Very clear and useful explanation

> 
> If your definition of "secure" is "does not change TLS bytes exchanges
> between client and server"

Yes, you have correctly understood what I tried to mean with the term "secure";  Say..: "Don't let squid touch sites that should not be touched" ...or some like that.

>, then if your configuration has a "stare"
> and/or "bump" actions, it is "insecure". If your configuration may lead
> to certificate validation errors, it is also "insecure".

Does not the splice at step1 and step2 action avoid this? I mean if squid act as a -TCP forward proxy only- for noBumpSites. "Don't touch TLS bytes"

> > When I do this:
> >
> > ssl_bump splice noBumpSites
> > ssl_bump stare all
> 
> > It is supposed that in this config I am (guessing), implicity,
> > peeking  (first?) and splice at any step and bumping (implicity) at
> > step3 sites that does not match with whitelist by staring at step2.
> > Maybe something like that, I dont know.
> 
> I do not think your description of the above configuration is correct.
> Squid uses default actions ("splice" or "bump") when no applicable rules
> match. In the above configuration, one of the rules will always match
> during step1 and during step2 (if any). Thus, there will be no implicit
> splicing or bumping during the first steps. If Squid reaches step3, then
> Squid will apply the default bump rule at that step (because "stare"
> matched at the previous step).
> 
> I am not sure, but I think the above configuration is equivalent to the
> following configuration that does not rely on default rules:
> 
>   ssl_bump splice step1 noBumpSites
>   ssl_bump splice step2 noBumpSites
>   ssl_bump stare step1
>   ssl_bump stare step2
>   ssl_bump bump step3

According to Amos: Always is better to be explicit and bump at step3 after stare at step2. (And of course more clearly to understand)

I have tested this above config (I think that this one you've posted is what I want to do) against the "compact/default one (the last "2-lines-config" above) and I almost sure that the squid logs reports the same behaviour, and maybe there are less lines with: "ssl" lib errors...and "Security Alert: there is no ip/domain match...." 

BUT here you are never peek'ing? How is that? 
You are stare'ing instead of peek'ing at step1 (3rd line), I would have done a peek at that line. I refered to this question when I said  "see the doubt at the end..." at almost at the middle of msg..

> HTH,
> 
> Alex.

OK....:

I think that is enough. We should make a pause or close the thread.
I *MUST* as soon as possible re-re and re-read the this thread entirely again and again.. And the Wiki page too. 
Because I am remembering (in English as well as I can) that Amos said things that You are telling me -again- (maybe in other words, but that isn't important neither the point)

All the best,

Thank You all

More information about the squid-users mailing list