[squid-users] Issue with SSL_BUMP and Office365 (for one...)

J. Dierkse j.dierkse at madeo.nl
Sun Jun 7 17:53:37 UTC 2020 

> On 6 Jun 2020, at 09:39, j.dierkse at madeo.nl wrote:
> 
>> On 5 Jun 2020, at 15:32, Alex Rousskov <rousskov at measurement-factory.com> wrote:
>> 
>> On 6/5/20 2:55 AM, J. Dierkse wrote:
>>>> Here is a sketch for v5. Sorry, I do not remember if v4 is equally
>>>> capable (but it very well may be):
>>>> 
>>>> # splice as soon as we detect specialHost
>>>> ssl_bump splice specialHost
>>>> # peek to get more info if needed
>>>> ssl_bump peek all
>>>> # optional: splice if we never detect specialHost
>>>> ssl_bump splice all
>>>> 
>>>> ... where specialHost is an ssl::server_name ACL.
>>> 
>>> I tried this configuration, but it doesn't give the desired effect.
>>> In 4.11 it doesn't seem to splice at all, but bump for some reason (is
>>> it correct not to refer to any bump steps?)
>> 
>> Bugs notwithstanding, the only reason the above configuration could
>> result in a bumped connection is if Squid wants to report an error to
>> the client. To make progress, you need to find out what that error is.
>> 
>> * I would start by examining access.log records after adding
>> %err_code/%err_detail to your custom logformat.
>> 
>> * If that does not help (we are still working on detailing various
>> errors better), I would look at cache.log after setting debug_options to
>> ALL,2 or higher.
>> 
>> * If that does not help, I would share a link to a compressed cache.log
>> after setting debug_options to ALL,9 and reproducing the problem using a
>> single transaction (to the extent possible).
>> 
>> 
>>> I know these errors have been a hot topic, and from what I can find
>>> (also in this mailing list) is that it should not block the connection.
>> 
>> I agree that host forgery detection should not block intercepted
>> connections and CONNECT tunnels (by default). I do not know how close
>> Squid is to that ideal -- there may be some holes in following that rule
>> of thumb. Also, I do not know whether your connections are bumped due to
>> these false positives or some other error. See above for the suggested
>> next steps.
>> 

I think I found the culprit; I’m exclusively using peer routing, and the knowledgebase mentions that this is disabled when host forgery is detected.
I understand the reasoning behind disabling this, but it renders my setup pointless for SSL connections.
Perhaps anyone has any brilliant ideas to do peer routing with Squid with (sorry to say) misbehaving CDN DNS servers..?
For now I’ll just set it to splice in step1.
Thanks for the help!


Best,


J. Dierkse

More information about the squid-users mailing list