[squid-users] About SSL peek-n-splice/bump configurations

Wed Sep 19 22:41:17 UTC 2018

I reply to myself due to a bounce and I have to re-enable the membership to list at least 3 times at month. 
Maybe a problem with Yahoo.

>>> Alex: After a splice rule is applied, SslBump is over. No  more rules are
>>> checked. No more loops are iterated. Squid simply "exits" the  SslBump
>>> feature (and becomes a TCP tunnel).

OK, that is what makes me a noise, and therefore I asked about what you said.

>> What about the meaning of the ACL's at step1 when splice?
>
>* If the splice rule ACLs match, the splice rule is applied. In that
>case you can consult my statement above.
>
>* If the splice rule ACLs do not match, then the splice rule is not
>applied. My statement above explicitly does not cover this case -- it
>starts with "after a splice rule is APPLIED".
>
>
>> e.g.:
>> There only these two rules for ssl_bump statements:
>>
>> ssl_bump splice sitesAB
>> ssl_bump splice SitesCD
>
>> I guess that here, Squid has to do 2 loops at outer/main loop to
>> evaluate step1 twice, due to rules differs (sitesAB and sitesCD ACL)
>> and see if both match to splice.

I think that I made a mistake in above sentence. 
I have should said "(..) Squid has to do 2 loops at inner while he is at the main loop (at SslBump1)"

>I do not know why you are guessing instead of carefully applying the
>already documented procedure, but you guessed wrong. At any step, the
>first matching rule is applied. For example, if sitesAB matches, then
>Squid splices without checking the second (i.e. SitesCD) rule.

Well, I am guessing because many things are not completely clear to me and/or easy to understand, at all. I am new in TLS filtering.
For example I never would think that in the given example, the second rule (sitesCD) will not never be checked later.
I asked or write that example with the inner loop in mind; I'm sorry.

>> Are You (perhaps) talking about the examples in the thread and not what happens "in general"?
>
>My statements above are general except the "For example..." sentence
>that refers to your specific example.

Its good to know.

>> In which case the "noBumpSites" ACL could have not match? I mean if I
>> tell a Squid: "splice at step1 this.site.net" How that matches can
>> fail?
>
>Roughly speaking, the server_name ACL matches at step1 when the real or
>fake CONNECT Host information match one of the configured server names.
>
>For example, if you are intercepting or if the real CONNECT request
>contains an IP address (rather than a host name), then the server_name
>ACL matches if the reverse DNS lookup for that IP address is successful
>and matches at least one of the configured server names. In other cases,
>the ACL does not match during step1.
>
>The reality is more complex than the above rough summary because domain
>name comparison is a complex algorithm. Consult the latest Squid
>documentation for details. Also, please do not forget that step2
>matching adds checking TLS client SNI name, and step3 matching adds
>checking certificate Subject names. It gets really complex...
>
>For example, the Host header of a CONNECT request may not be the same as
>the TLS client-supplied SNI name, and/or the server certificate subject
>name may. These differences (and other random factors like DNS
>inconsistencies) may result in the server_name ACL match result changes
>across the steps.
>
>Modern Squids have additional server_name options that control some of
>the matching nuances discussed above.

That's what I imagined you meant (and worried too) -without any kind of knowledge-. And now you have just confirmed it. 
So things become a little more delicate. 
And *now* I understand why you have done so much emphasis saying: "If the rule match..."

>Alex.

Thank You.