[squid-users] Squid spliced TLS handshake failing with chrome/ium fallback for certain servers
Alex Rousskov
rousskov at measurement-factory.com
Thu Jun 10 20:04:01 UTC 2021
On 6/10/21 11:00 AM, Andreas Weigel wrote:
>> I can only suggest to either fix the Squid bug/limitation or decide to
>> splice during step1 (based on client SNI, etc., before Squid talks to
>> the origin server).
> don't know why I haven't yet had the idea, but indeed, if I force
> splicing at step 1 or even 2, the site loads without error. This is not
> exaclty a solution, but at least something to work with.
If you tell Squid to proceed to step3, then Squid has a duty to validate
the TLS server. Failure to do so should result in an error. This is what
https://wiki.squid-cache.org/Features/SslPeekAndSplice promises to do
during step3:
i. Get TLS Server Hello info from the server, including the server
certificate.
ii. Validate the TLS server certificate.
iii. Evaluate again all ssl_bump rules and perform the first matching
action (splice, bump, or terminate) for the connection.
We probably should enhance Squid to better control its reaction to 3i
failures, but such adjustments may have to be guarded by some new
explicit configuration because they would allow splicing connections to
non-TLS servers or very insecure TLS servers (that were previously
reported as errors).
HTH,
Alex.
More information about the squid-users
mailing list