[squid-users] Microsoft store issues with ssl-bump

Eliezer Croitoru ngtech1ltd at gmail.com
Tue Jan 12 14:10:42 UTC 2021


-----Original Message-----
From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of Amos Jeffries
Sent: Tuesday, January 12, 2021 2:42 PM
To: Squid Users <squid-users at lists.squid-cache.org>
Subject: Re: [squid-users] Microsoft store issues with ssl-bump

On 12/01/21 11:32 pm, NgTech LTD wrote:
> Im saying that my config might be wrong and I will send you a full 
> config save which can show you the whole setup like most vendors has.
> I have upgraded squid in production.
> 
> Let me verify first before shouting "bug".
> 
> Eliezer
> 

> The other proxy logs show SNI as being 
> "https://storeedgefd.dsx.mp.microsoft.com:443". SNI should be only a 
>name, not a full URL. So if we assume that log is correct the client is 
>producing invalid SNI. This may be an issue for Squid, causing it to 
> ignore the SNI value entirely.

It’s only fprint the does this with https://XYZ:port
It sees only the ip + domain(plain SNI) + port


> The openssl tool connecting to the same IP address the other proxy 
> claims to be going to gets "sfdataservice.microsoft.com" as the server 
> name. In absence of valid SNI to work with that is the name your Squid 
> will be trying to match against to decide splice vs bump.

So squid tried to match only the certificate and not the SNI?
>From what I see the SNI is ok with the certificate version 3 extensions ie DNS=XYZ
(it should, I cannot verify this against the server at the moment.)


> The server prefers to use TLS/1.3 unless explicitly connected to with 
> TLS/1.2 immediately. IIRC latest Squid force the client to TLS/1.2 when 
> preparing to bump, but may not for spliceand stare. So YMMV.
OK

Eliezer

----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: ngtech1ltd at gmail.com
Zoom: Coming soon






More information about the squid-users mailing list