[squid-dev] [PATCH make ssl-bump implicit on HTTPS interception ports
Alex Rousskov
rousskov at measurement-factory.com
Tue Jun 14 15:44:33 UTC 2016
On 06/13/2016 08:55 PM, Amos Jeffries wrote:
> Using an https_port with intercept or tproxy is pretty useless without
> ssl-bump being enabled. So auto-enable the 'ssl-bump' option on those
> ports instead of aborting with an error about ssl-bump being needed.
>
> The result of this should be that the intercepted traffic gets received
> by either the 'unknown protocol' pass-thru settings or the admins other
> ssl-bump related settings enacted.
Enabling ssl-bump implicitly is not a good idea IMO.
Bumping is a dangerous/complex feature with many side effects. If an
admin really wants Squid to apply [all] ssl_bump directives to a port,
they should add ssl-bump flag to that port explicitly IMO. Implicitly
enabling bumping for some ports is likely to increase confusion while
providing no advantages (that I can see) other than making https_port
lines a tiny bit shorter and downgrades more difficult.
If we really want to support intercepting https_port without an ssl-bump
flag, then we should change Squid to blindly tunnel such port traffic,
without applying any ssl_bump rules. That behavior would be consistent
with default CONNECT handling (and somewhat useful for logging and
similar reasons).
HTH,
Alex.
More information about the squid-dev
mailing list