[squid-users] About SSL peek-n-splice/bump configurations

Alex Rousskov rousskov at measurement-factory.com
Tue Sep 18 16:36:10 UTC 2018


On 09/18/2018 09:11 AM, Julian Perconti wrote:
>>> the thing that really does not makes sense is splice at step1 and then splice
>>> at step2

>> It is not possible to splice twice. Splicing is one of the final actions. No other
>> action follows a final action (by definition).

> So, if a rule "x" match a splice action at inner loop when the outer
> loop starts, then take the final action for the rule "x" and if no
> there is no more rules at step1 exit and proceed to evaluate the
> rules for the step2.

I think it is possible to interpret your summary as a correct statement,
but the reality is much simpler: After a splice rule is applied, SslBump
is over. No more rules are checked. No more loops are iterated. Squid
simply "exits" the SslBump feature (and becomes a TCP tunnel).


>>>    ssl_bump peek noBumpSites
>>>    ssl_bump stare


>> At step1 and at step2, if noBumpSites matches, then Squid will peek.

> Therefore default splice...

If noBumpSites matches at step2, then, yes, Squid will splice at step3
by default. Otherwise, no; Squid will bump at step3 by default.


>> At step1 and at step2, if noBumpSites does not match, then Squid will stare.

> ...and default bump.

If noBumpSites does not match at step2, then, yes, Squid will bump at
step3 by default. Otherwise, no; Squid will splice at step3 by default.


>   ssl_bump splice noBumpSites # This line reachs a splice rule at step1
>   ssl_bump stare

> Squid is telling to the client: "I will not touch any TLS byte. [...]
> I will do as many checks as possible then You will be connected..."

The configuration above does not match your summary because the
configuration has a "stare" action that may run at (step1 and) step2
(and, hence, a possibility of the bump action at step3). Staring at
step2 and bumping (at any step) modify TLS bytes, of course.

Perhaps your summary only applies to the cases where noBumpSites matches
(either at step1 or at step2), but the summary did not make that clear.
There is a big difference between explaining Squid actions for a
particular transaction and summarizing what a particular configuration
means (for all transactions). Unless noted otherwise, I am focusing on
the latter.

AFAICT, the primary difference between

  ssl_bump peek noBumpSites
  ssl_bump stare

and

  ssl_bump splice noBumpSites
  ssl_bump stare

is that the former requires a noBumpSites match at step2 for the
connections to be spliced. The latter does not require that; it is even
content with splicing based on step1 (i.e. TCP/IP) info, before knowing
step2 (i.e. the TLS client) details. You can see those differences when,
for example, noBumpSites does not match at step1.

The other differences include whether the TLS client- and
server-provided information is checked and logged in all cases or just
in some cases.

Alex.


More information about the squid-users mailing list