[squid-users] SSL-BUMP 5.0.4 not working as expected

Alex Rousskov rousskov at measurement-factory.com
Sun Jan 3 22:44:58 UTC 2021


On 1/2/21 3:08 PM, ngtech1ltd at gmail.com wrote:
> I am trying to configure 5.0.4 with sslbump to bump only a set of domains.

>   * Should I bump all connections with exceptions?
>   * Should I bump non else then the exceptions?
>   * Based on server_name regex and/or server_name domains

Policy-wise, you should bump as little as possible. The rest depends on
your local specifics/goals.

As for implementing any policy, here is a rule of thumb: Workarounds and
exceptions aside, make the splicing-vs-bumping _decision_ during step2:
stare if the transaction matches your bumping policy, and peek
otherwise. Trigger the final splice/bump action during step3 based on
the decision made during step2 (modern Squids will do that for you by
default).

Rationale:

* It is not possible to properly bump at step1 -- Squid usually does not
have enough details (e.g., SNI) to do it properly so early. Thus, it is
usually best to just peek at step1.

* It is not possible to make the splicing-vs-bumping _decision_ during
step3 -- Squid has to know your intent at the end of step2 because the
TLS Hello Squid sends at the beginning of step3 depends on that intent.
Thus, the decision has to be made during the only remaining step -- step2.

* Bumping may work better when Squid mimics the server certificate and
that can only happen during step3. Splicing works well at earlier steps,
but splicing later gives Squid access to the TLS server Hello details
that can be useful for logging/triage. Thus, it may be a good idea to
delay the splice/bump action until step3. Please keep in mind that the
step3 action itself is fully determined by your decision during step2.


> I tried to understand why squid is bumping despite the explicit splice
> action.

Squid bumps either when a bump rule matches OR when Squid decides to
serve an error response to the client. The latter often happens when
your http_access rules deny CONNECT requests, especially during step1.
Examine your http_access rules and study the response to the first
bumped request to confirm that it is a Squid error page.


HTH,

Alex.


More information about the squid-users mailing list