[squid-users] About SSL peek-n-splice/bump configurations

Alex Rousskov rousskov at measurement-factory.com
Wed Sep 19 21:35:29 UTC 2018

On 09/19/2018 10:23 AM, Julian Perconti wrote:
>> Alex: After a splice rule is applied, SslBump is over. No  more rules are 
>> checked. No more loops are iterated. Squid simply "exits" the  SslBump 
>> feature (and becomes a TCP tunnel).

> What about the meaning of the ACL's at step1 when splice?

* If the splice rule ACLs match, the splice rule is applied. In that
case you can consult my statement above.

* If the splice rule ACLs do not match, then the splice rule is not
applied. My statement above explicitly does not cover this case -- it
starts with "after a splice rule is APPLIED".

> e.g.:
> There only these two rules for ssl_bump statements:
> ssl_bump splice sitesAB
> ssl_bump splice SitesCD

> I guess that here, Squid has to do 2 loops at outer/main loop to
> evaluate step1 twice, due to rules differs (sitesAB and sitesCD ACL)
> and see if both match to splice.

I do not know why you are guessing instead of carefully applying the
already documented procedure, but you guessed wrong. At any step, the
first matching rule is applied. For example, if sitesAB matches, then
Squid splices without checking the second (i.e. SitesCD) rule.

N.B. I removed the (misplaced) "step1" ACLs from the above example. That
ACL does not affect the above discussion.

> Are You (perhaps) talking about the examples in the thread and not what happens "in general"?

My statements above are general except the "For example..." sentence
that refers to your specific example.

> In which case the "noBumpSites" ACL could have not match? I mean if I
> tell a Squid: "splice at step1 this.site.net" How that matches can
> fail?

Roughly speaking, the server_name ACL matches at step1 when the real or
fake CONNECT Host information match one of the configured server names.

For example, if you are intercepting or if the real CONNECT request
contains an IP address (rather than a host name), then the server_name
ACL matches if the reverse DNS lookup for that IP address is successful
and matches at least one of the configured server names. In other cases,
the ACL does not match during step1.

The reality is more complex than the above rough summary because domain
name comparison is a complex algorithm. Consult the latest Squid
documentation for details. Also, please do not forget that step2
matching adds checking TLS client SNI name, and step3 matching adds
checking certificate Subject names. It gets really complex...

For example, the Host header of a CONNECT request may not be the same as
the TLS client-supplied SNI name, and/or the server certificate subject
name may. These differences (and other random factors like DNS
inconsistencies) may result in the server_name ACL match result changes
across the steps.

Modern Squids have additional server_name options that control some of
the matching nuances discussed above.


More information about the squid-users mailing list