[squid-users] Peek-and-splice not working when mixing TLS1.3 servers and TLS1.2 clients

Nikolaus dc.sqml at ntcomputer.de
Fri Sep 20 14:53:41 UTC 2019

I have a transparent squid 4.8 proxy peek-and-splice setup acting as a
TLS domain filtering proxy. The setup worked well, until more and more
servers started adopting TLS 1.3. In this case, depending on the client
TLS version, errors started to appear:

If server, squid and client use TLS 1.3: Everything works as expected.
If server and squid use TLS 1.3, but client only supports TLS 1.2: The
client terminates the connection due to certificate verification errors.

I have had a look at what happens at TLS protocol level using wireshark,
and it seems that in the latter case, squid - for some reason - performs
(something similar to) bumping instead of splicing! That is, squid sends
back certificates to the client which are completely different than the
ones received from the server, and appear to be generated. Any
ClientKeyExchange received from the client also wouldn't be forwarded to
the server.

The following is the relevant part of my squid config:

https_port 3443 intercept ssl-bump cert=/etc/squid/dummy.pem.crt
ssl_bump peek step1 all
ssl_bump peek step2 allowed_https_connections
ssl_bump terminate step2 all
ssl_bump splice step3 allowed_https_connections
ssl_bump terminate all

where allowed_https_connections is an ACL checking ssl::server_name.

How can I get the splicing setup working when mixing TLS 1.3 servers and
TLS 1.2 clients?

Many thanks!

More information about the squid-users mailing list