[squid-users] Peek and splice where SNI not present

Amos Jeffries squid3 at treenet.co.nz
Sat Oct 5 09:44:26 UTC 2019

On 5/10/19 3:34 pm, washuu wrote:
> Hi, 
> I'm using Squid 3.5.27, and I want to filter some HTTPS traffic, based on
> the hostnames.

When Using SSL-Bump features, even for things like this you should
follow the latest Squid version to make sure the TLS handling is up to
date. Currently Squid-4.8 is minimal for SSL-Bump features to work well.

> my ssl-related config is as follows: 
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> ssl_bump peek step1 all
> acl global_https_dst_allow ssl::server_name
> "/chroot/squid/etc/squid/global_dst_whitelist"
> ssl_bump splice step2 global_https_dst_allow
> ssl_bump terminate step2 proxyclients
> http_access allow SSL_ports
> http_access allow proxyclients

NP: at a guess based on their names these two ACLs are redundant. You
should be able to remove the "allow SSL_Ports" line and let proxyclients
do the allow. Unless you want any random external client to be allowed
just because they want your proxy for HTTPS relay.

> http_access deny all
> Now I see, that several SSL clients do NOT send SNI hostname in the Client
> Hello message, and what I got is denied access, with the following entry in
> the log: 
> 1570241666.136      5 TAG_NONE/200 0 CONNECT
> - HIER_NONE/- - -

There is no indication of which SSL-Bump step is being performed when
this log entry is recorded. This may be from the initial CONNECT request
before the ClientHello is received.

> I have two questions then: 
> 1) For such cases, is there a possibility to filter traffic based on
> certificate provided by the Server Hello (instead of SNI from Client Hello)
> in step3?

Only in Squid-4+, with the --server-provided flag. Like so:

 acl foo ssl::server_name --server-provided .example.com

> 2) Is there a way, to allow (by additional ACL rule, perhaps) traffic
> without SNI field set? so actually I would be filtering OUT only the
> sessions where SNI was present, but the hostname did not match my whitelist.

There is a special value "none" for the ssl::server_name ACL which will
match if there is no server name found. (NP: It is broken prior to
Squid-3.5.23 and Squid-4.1)

You will need the --client-requested flag (also only in Squid-4+) to
limit the server name to SNI.

Be careful using this type of bypass. It essentially makes the whitelist
pointless, clients just avoid sending SNI and they can do whatever they
like with your proxy. That is a major security hole.


More information about the squid-users mailing list