[squid-users] SSL-BUMP 5.0.4 not working as expected

ngtech1ltd at gmail.com ngtech1ltd at gmail.com
Sat Jan 2 20:08:55 UTC 2021


I am trying to configure 5.0.4 with sslbump to bump only a set of domains.

I am unsure about the right way it should be done.

The basic constrains are POLICY vs a set of rules.

*	Should I bump all connections with exceptions? 
*	Should I bump non else then the exceptions?
*	Based on server_name regex and/or server_name domains

 

 

Squid Cache: Version 5.0.4-20201125-r5fadc09ee

Service Name: squid

 

This binary uses OpenSSL 1.1.1g FIPS  21 Apr 2020. For legal restrictions on
distribution see https://www.openssl.org/source/license.html

 

configure options:  '--build=x86_64-redhat-linux-gnu'
'--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr'
'--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin'
'--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include'
'--libdir=/usr/lib64' '--libexecdir=/usr/libexec'
'--sharedstatedir=/var/lib' '--mandir=/usr/share/man'
'--infodir=/usr/share/info' '--exec_prefix=/usr'
'--libexecdir=/usr/lib64/squid' '--localstatedir=/var'
'--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
'--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid'
'--disable-dependency-tracking' '--enable-follow-x-forwarded-for'
'--enable-auth'
'--enable-auth-basic=DB,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB,getpwnam,fake'
'--enable-auth-ntlm=fake' '--enable-auth-digest=file,LDAP,eDirectory'
'--enable-auth-negotiate=kerberos,wrapper'
'--enable-external-acl-helpers=wbinfo_group,kerberos_ldap_group,LDAP_group,d
elayer,file_userip,SQL_session,unix_group,session,time_quota'
'--enable-cache-digests' '--enable-cachemgr-hostname=localhost'
'--enable-delay-pools' '--enable-epoll' '--enable-icap-client'
'--enable-ident-lookups' '--enable-linux-netfilter'
'--enable-removal-policies=heap,lru' '--enable-snmp'
'--enable-storeio=aufs,diskd,ufs,rock' '--enable-wccpv2' '--enable-esi'
'--enable-security-cert-generators' '--enable-security-cert-validators'
'--enable-icmp' '--with-aio' '--with-default-user=squid'
'--with-filedescriptors=16384' '--with-dl' '--with-openssl'
'--enable-ssl-crtd' '--with-pthreads' '--with-included-ltdl'
'--disable-arch-native' '--without-nettle'
'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu'
'CC=gcc' 'CFLAGS=-O2  -fexceptions -g -grecord-gcc-switches -pipe -Wall
-Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -m64 -mtune=generic
-fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection'
'LDFLAGS=-Wl,-z,relro -Wl,--as-needed  -Wl,-z,now
-specs=/usr/lib/rpm/redhat/redhat-hardened-ld ' 'CXX=g++' 'CXXFLAGS=-O2
-fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security
-Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -m64 -mtune=generic
-fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fPIC'
'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
'LT_SYS_LIBRARY_PATH=/usr/lib64:' --enable-ltdl-convenience

 

 

I have tried the next set of rules:

## START

acl step1 at_step SslBump1

acl step2 at_step SslBump2

acl step3 at_step SslBump3

 

acl NoBump_server_regex ssl::server_name_regex -i
/etc/squid/server-regex.nobump

acl NoBump_server_name ssl::server_name /etc/squid/server-name.nobump

 

acl NoBump_ALL_regex ssl::server_name_regex -i
/etc/squid/all_server-regex.nobump

 

acl MustBump_server_regex ssl::server_name_regex -i
/etc/squid/must_server-regex.bump

acl MustBump_server_name ssl::server_name /etc/squid/must_server-name.bump

 

 

ssl_bump peek step1

 

ssl_bump splice NoBump_server_regex

ssl_bump splice NoBump_server_name

 

ssl_bump bump MustBump_server_regex

ssl_bump bump MustBump_server_name

 

ssl_bump splice NoBump_ALL_regex

 

ssl_bump bump all

##END

 

 

 

But the BoBump are not applied.

I tried to understand why squid is bumping despite the explicit splice
action.

 

Thanks,

Eliezer

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email:  <mailto:ngtech1ltd at gmail.com> ngtech1ltd at gmail.com

Zoom: Coming soon

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210102/5396e3e8/attachment.htm>


More information about the squid-users mailing list