[squid-users] Squid modification to only read client SNI without bumping.
squid3 at treenet.co.nz
squid3 at treenet.co.nz
Tue Jun 8 11:36:14 UTC 2021
On 2021-06-08 22:51, His Shadow wrote:
> Greetings. I've been trying to make a patch for squid,
Code changes should be discussed on the squid-dev mailing list.
FWIW, we (Squid devs) have already discussed this functionality change
and I have a TODO list entry (far down sadly) of supporting your
use-case. The way I think to approach it though is to start with the
configuration parser. A simple peek-splice/terminate TLS traffic flow
should not need certificates setup by admin.
If you want to pickup that TODO item please contact squid-dev to plan
out the actual best approach with the other dev working on Squid crypto
code.
Patch submission should be done by submitting a github PR targeted at
our repository 'master' branch.
> so that it
> could read client hello on connect requests and set the SNI without
> using ssl_bump, as that requires generating certificates and is too
> complicated for my needs.
Should not be too complicated. We have test scripts available that can
generate fake cert and CA for the *_port config settings. Or snakeoil
certs can be used.
Apart from the port settings what your patch does is just this:
acl blocklist dstdomain ...
ssl_bump peek all
ssl_bump splice blocklist
ssl_bump terminate all
Amos
More information about the squid-users
mailing list