[squid-users] Best way to prevent squid from bumping CONNECTs

Alex Rousskov rousskov at measurement-factory.com
Mon Apr 27 19:09:03 UTC 2020 

On 4/27/20 12:21 PM, Scott wrote:

> my experience with ssl_bump is that it tries to bump SSL connections whether 
> presented to Squid explicitly or implicitly.

* For http_port configured with an ssl-bump flag, HTTP CONNECT tunnels
are sent to the SslBump code.

* For https_port configured with an ssl-bump flag, all traffic is sent
to the SslBump code (by faking a corresponding HTTP CONNECT request).

* All other traffic is not sent to the SslBump code.

SslBump code honors ssl_bump rules when inspecting and
splicing/bumping/terminating/etc. traffic.


> When simply configuring `ssl_bump bump host_acl' the Squid logs show Squid 
> trying, and failing, to bump CONNECT requests.  They may be failing due to 
> certificate issue most likely, I'm not sure.  I can't add to the certificate 
> store of the software that has the proxy configured (i.e. it will not permit 
> bumping).

* If you do not want Squid to use SslBump features on traffic arriving
on port X, then do not add the ssl-bump flag to that port X.

* If you want to use the same port for traffic that should be bumped and
traffic that should not be inspected beyond step1, adjust your ssl_bump
step1 rules to distinguish the two kinds of messages.

Needless to say, you decide which traffic goes to which listening port
and whether a single port serves multiple traffic categories.


> Is it expected that Squid will bump/splice CONNECT requests?

It depends -- some CONNECT tunnels are expected to be inspected and
bumped, spliced, terminated, etc., according to the configuration.
Please see above for the details. Squid does not know what it will find
inside the CONNECT tunnel until it starts inspecting that tunnel.


> Because not all CONNECT sessions are SSL, if the CONNECT destination does not 
> begin a TLS handshake will Squid revert to simply creating a TCP tunnel 
> instead of bumping?

SslBump expects SSL/TLS traffic inside CONNECT tunnels that it is
configured to inspect. If an inspecting Squid decides that it got some
other traffic, Squid follows the on_unsupported_protocol configuration.


> My workaround has been to simply add `!CONNECT' to the `ssl_bump host_acl' 
> statements.  Squid will happily bump the SSL sessions and proxy the CONNECT 
> sessions.

AFAICT, that workaround cannot work on modern Squids because all traffic
subject to ssl_bump rules will start as a (real or fake) CONNECT request.


HTH,

Alex.

More information about the squid-users mailing list