[squid-users] Best way to prevent squid from bumping CONNECTs

Alex Rousskov rousskov at measurement-factory.com
Thu Apr 30 20:05:43 UTC 2020


On 4/30/20 12:10 PM, Scott wrote:

>> * For http_port configured with an ssl-bump flag, HTTP CONNECT tunnels
>> are sent to the SslBump code.
>>
>> * For https_port configured with an ssl-bump flag, all traffic is sent
>> to the SslBump code (by faking a corresponding HTTP CONNECT request).


> These `fake' CONNECT requests I assume only contain the IP address of the 
> upstream server, not the hostname, as intercepted SSL connections are TCP 
> OPENs.

Modern Squid replaces TCP-derived destination IP address with TLS
SNI-derived domain name when generating the second fake CONNECT request.
The second CONNECT is generated during SslBump step2, after parsing TLS
client handshake.


> Am I right then in saying that using ssl::server_name is useless for bumped 
> intercepted connections?

It may be useful for ACLs checked during SslBump step2 (because it will
check the TLS client SNI-derived domain name) and during step3 (when it
will check TLS server certificate-derived CN and SubjectAltName).


HTH,

Alex.


More information about the squid-users mailing list