[squid-users] About SSL peek-n-splice/bump configurations

Julian Perconti vh1988 at yahoo.com.ar
Fri Sep 21 15:08:11 UTC 2018

Hi all.

I will go (finally) with this sslBump config. Although I still have some doubts...
I think that It´s time to finish this thread.

acl noBumpSites ssl::server_name_regex -i "/etc/squid/url.nobump"

# steps ACL
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

#  SslBump actions
ssl_bump peek step1
ssl_bump splice noBumpSites
ssl_bump stare step2

The TLS config "explained" as  well as I can understand:
*Clarification*: maybe I will quote some words out of context; but Alex told me that he almost always speaks "In general terms" about what Squid does.

# First rule:
ssl_bump peek step1 #  Step 1 is the only step that is always performed.

If I no peek at step1, and instead directly splice, happens what the wiki warns (this was checked):

" Bump All Sites Except Banks
" Usually does not work for requests that go to non-banks -- they will not be bumped." (Verified)
" Depending on other settings, Squid may terminate connections to banks if Squid cannot validate client SNI (Host header forgery detection) or the server certificate."
The wiki example about this warn the config is:
  ssl_bump splice serverIsBank
  ssl_bump peek all
  ssl_bump bump all

So my conclusion is: "It's "better" (to avoid: ...not work for requests that go to non-banks) to peek step1"

# Second rule:
ssl_bump splice noBumpSites 

Here a doubt, I'm sorry.
Based on above words and the squid behaviour I mentioned, I think that this rule should implicity match only at step2.

Alex words: 

>"So, "yes", Squid only executes the first rule action _when_ the first
>rule action is applicable and its ACLs match at every step, but, "no",
>Squid does not make a bunch of steps with only the first rule in mind."

With the overall logic in mind, the first impression is that the second rule could match at step1 and at step2 too. Like this rule would the first one (but is the second).
However as I said above if the splice is the first rule instead the peek, the squid´s behaviour changes.

>After a splice rule is applied, SslBump is over. No  more rules are 
>checked. No more loops are iterated. Squid simply "exits" the  SslBump 
>feature (and becomes a TCP tunnel).

Here, probably (not sure) Alex rerefered here to "splice all" rule. In that case is clear "splice is a final action" then no more future checks.
"Actions splice, bump, and terminate are final actions: They prevent further processing of the ssl_bump rules."

But in my config next to splice there is an ACL. That is why I asked: "But, doesn't the ACL matters?" in earlier mail.

Therefore, due to above Alex´s statement:  Will Squid ignore the last rule?
I checked that the answer is no. If I remove the last rule (stare step2) all the traffic is spliced.
I think that the reason is: (explicit) peek step1 >  (implicit) peek step2 > result: default splice all. (peek at step2 precludes future bumping)
Even more, if I remove the last rule, the second rule I think that will be ingnored. In reallity will had not make sense.

# Third/last rule:
ssl_bump stare step2 # stare at step2 so implicit and "secure" default bump action at step3.

Probably I said something (or all) that is WRONG.

Thank You.

More information about the squid-users mailing list