[squid-users] no ssl intercept - question how it works
Amos Jeffries
squid3 at treenet.co.nz
Thu Aug 12 03:01:26 UTC 2021
On 12/08/21 4:06 am, robert k Wild wrote:
> Great thanks Amos as always
>
> So shall I leave this ssl bump lines in
>
> ssl_bump splice NoSSLIntercept
>> ssl_bump peek DiscoverSNIHost
>> ssl_bump bump all
>
> And delete this one
>
> acl step1 at_step SslBump1
>> ssl_bump peek step1
>> ssl_bump bump all
>
> As your right there both the same, I didn't spot that
>
> My understanding is the "no ssl intercept", squid doesn't even bother to
> inspect the packets ie man in the middle and just literally passes it
> straight to the client
>
> Is that right?
>
Not quite. Squid still has to receive and look at something to make the
decision to splice.
The "NoSSLIntercept" is just an ACL. Being defined as a ssl:server_name
type it looks at whatever Squid is able to find for a server name
amongst the available data (CONNECT message URI, the client IP's
reverse-DNS, any TLS details seen so far, etc.
So it depends on how many of the SSL-Bump steps have taken place so
far as to what it can match against.
In your case it happens at step1 and maybe step2 (when the peek happened
at step1 instead). When means Squid looks at the TCP connections
client-IP, a CONNECT URI (if any) and maybe the TLS client handshake
plain-text details.
Note this is specific to your *current* configuration. Small changes
to the order of ssl_bump lines or ACLs used can change this behaviour
dramatically.
Amos
More information about the squid-users
mailing list