[squid-users] About SSL peek-n-splice/bump configurations

Julian Perconti vh1988 at yahoo.com.ar
Fri Sep 14 00:13:40 UTC 2018 

> > Example:
> >
> >   ssl_bump splice noBumpSites # this will be totally ignored by Squid if a
> stare rule precedes this.
> 
> No, this is incorrect. There are many cases were a previous stare rule will not
> have the effect you state it will. For example:
> 
>   # Squid may splice at step2 despite the preceding stare rule
>   # because staring at step1 does not preclude splicing.
> 
>   ssl_bump stare step1
>   ssl_bump splice noBumpSites

Well yes, I think You are right; but my example (or what I wanted to mean) was: -Maybe You have post that to give an example about how that rule could probably, not match, I don't know-

   ssl_bump stare noBumpSites  (at this line your example said: ssl_bump stare step1)
   ssl_bump splice noBumpSites

...And here appears a "key-question":

   ssl_bump stare noBumpSites # This is the first line of SslBumps ruleset.

So, when squid reaches this first rule and line (there is no explicit step)  ...does Squid make a "bucle of steps" only along the first line and go to next line only when the rule stop being applicable/matchable?
If the answer of my question is: "Yes" then the second line has not any effect because, I guess that squid will do a bump in more-or-less this way:

   ssl_bump stare  noBumpSites

... is the same as:

   ssl_bump stare  step1 noBumpSites
   ssl_bump stare  step2 noBumpSites # Here is where he second line stops making sense
   ssl_bump bump  step3 noBumpSites # Finally bump due to the previous step

Thus:

   ssl_bump splice noBumpSites # will never matchs.

Going a bit to the past, Amos explained the following when I asked:

>> ...So that means that squid processes the SslBump directives:
>> 1: maybe more than one time in a single request...?
>> 
>Yes. Up to 3 times. A peek or splice action causes another check later.

Well, Amos never mentioned a "stare" action here, so I dont know I a "stare" applies to this too. 
And even worse, maybe I did not understand him correctly.

>   # Squid will splice at step1 despite the preceding stare rule
>   # because the preceding stare rule never matches
>   ssl_bump stare !all
>   ssl_bump splice all

And this example is more obvious than the first one. It is like that previous line would not exists.

(...)

> > Does not the splice at step1 and step2 action avoid this? I mean if
> > squid act as a -TCP forward proxy only- for noBumpSites. "Don't touch
> > TLS bytes"
> 
> I am not sure what you mean by "this" exactly, but splicing (at any
> step) does not guarantee the lack of errors. 

Ok, but is Squid the culprit of those error? He is being a passive observer of that TLS traffic.
Here, I am talking about the idea of (explicitly) splice at step1 and then at step2 of a white list of sites.

Question based on words below:

>>>* If successful, ssl_bump peek and splice actions do not alter TLS
>>>bytes. Peeking and/or splicing Squid can be viewed as a TCP proxy as far
>>>as TLS bytes forwarding is concerned. The client and the origin server
>>>will see the same TLS bytes they would have seen if Squid was not there.
>>>
>>>* In this scope, various errors are usually equivalent to applying the
>>>"bump" action.

>The earlier you tell Squid to
> splice the connections, the fewer checks Squid will do, decreasing the
> probability of an error.

That is the idea with the noBumpSites ACL, the least amount of errors possible.

Lets say: "Let's remove as much responsibility as possible to Squid about what happens with really/special sensitive sites, If something goes wrong"
Talking with Squid/In other words: "Squid, do a *full* bump to msn.com and youtube.com too; but please *never do not nothing neither touch nothing*  with bankaust.com.au 
(Some like that)

> Errors lead to bumping the client connection (to
> deliver the error message).

What do You mean about those errors?

Thank You

More information about the squid-users mailing list