[squid-users] no ssl intercept - question how it works

Thu Aug 12 08:50:17 UTC 2021

Thanks Amos

On Thu, 12 Aug 2021, 04:05 Amos Jeffries, <squid3 at treenet.co.nz> wrote:

> On 12/08/21 4:06 am, robert k Wild wrote:
> > Great thanks Amos as always
> >
> > So shall I leave this ssl bump lines in
> >
> > ssl_bump splice NoSSLIntercept
> >> ssl_bump peek DiscoverSNIHost
> >> ssl_bump bump all
> >
> > And delete this one
> >
> > acl step1 at_step SslBump1
> >> ssl_bump peek step1
> >> ssl_bump bump all
> >
> > As your right there both the same, I didn't spot that
> >
> > My understanding is the "no ssl intercept", squid doesn't even bother to
> > inspect the packets ie man in the middle and just literally passes it
> > straight to the client
> >
> > Is that right?
> >
>
> Not quite. Squid still has to receive and look at something to make the
> decision to splice.
>
> The "NoSSLIntercept" is just an ACL. Being defined as a ssl:server_name
> type it looks at whatever Squid is able to find for a server name
> amongst the available data (CONNECT message URI, the client IP's
> reverse-DNS, any TLS details seen so far, etc.
>   So it depends on how many of the SSL-Bump steps have taken place so
> far as to what it can match against.
>
> In your case it happens at step1 and maybe step2 (when the peek happened
> at step1 instead). When means Squid looks at the TCP connections
> client-IP, a CONNECT URI (if any) and maybe the TLS client handshake
> plain-text details.
>
>   Note this is specific to your *current* configuration. Small changes
> to the order of ssl_bump lines or ACLs used can change this behaviour
> dramatically.
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210812/f5cc5ccb/attachment-0001.htm>