[squid-users] Strange Squid SSL Interception Behavior

Mathew Brown mbrown8918 at outlook.com
Wed Aug 26 19:12:11 UTC 2020


Thanks Alex
________________________________
From: Alex Rousskov <rousskov at measurement-factory.com>
Sent: Wednesday, August 26, 2020 11:54 PM
To: Mathew Brown <mbrown8918 at outlook.com>; squid-users at lists.squid-cache.org <squid-users at lists.squid-cache.org>
Subject: Re: [squid-users] Strange Squid SSL Interception Behavior

On 8/26/20 9:13 AM, Amos Jeffries wrote:
> On 26/08/20 11:03 pm, Mathew Brown wrote:
>> Thank you Alex + Amos :) You've really helped clarify things. I had a
>> final question regarding this setup. Does this configuration only look
>> at the client side part of the SNI request or also the server
>> certificate.

>> acl whitelist ssl::server_name .httpbin.org
>>
>> http_access deny CONNECT !SSL_ports
>> http_access allow localnet CONNECT
>>
>> ssl_bump peek step1
>> ssl_bump splice whitelist
>> ssl_bump terminate all


The above ssl_bump configuration ignores the TCP client information
(during step1) and looks at TLS client information (during the next step
-- step2). With this configuration, Squid will not see the server
certificate at all.


>> If it only looks at the client-side, how would I tell it to
>> look at the server response as well?

If you want Squid to consider the server certificate as well (during
step3), replace "step1" with "all". See ssl::server_name ACL for the
documentation of what "as well" really means in this context. Its
complicated.


> The process is all described at
> https://wiki.squid-cache.org/Features/SslPeekAndSplice

Yes, and also see the documentation for the ssl::server_name ACL. In
modern Squids, you can control what information that ACL is using.


BTW, I just realized that my earlier statements about reverse DNS
lookups were misleading: The ssl::server_name ACL does not do any DNS
lookups. When given an unresolved IP address, that ACL will usually
mismatch .httpbin.org (regardless of whether the reverse lookup would
have returned a matching domain name).


HTH,

Alex.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200826/34e31f19/attachment.htm>


More information about the squid-users mailing list