[squid-dev] [PATCH] Support tunneling of bumped non-HTTP traffic. Other SslBump fixes.
Marcus Kool
marcus.kool at urlfilterdb.com
Fri Oct 14 11:30:16 UTC 2016
I started testing this patch and observed one unwanted side effect of
this patch:
When a client connects to mtalk.google.com,
Squid sends the following line to the URL rewriter:
(unknown)://173.194.76.188:443 <IP>/<IP> - NONE
Marcus
Quoting Christos Tsantilas <christos at chtsanti.net>:
> Use case: Skype groups appear to use TLS-encrypted MSNP protocol
> instead of HTTPS. This change allows Squid admins using SslBump to
> tunnel Skype groups and similar non-HTTP traffic bytes via
> "on_unsupported_protocol tunnel all". Previously, the combination
> resulted in encrypted HTTP 400 (Bad Request) messages sent to the
> client (that does not speak HTTP).
>
> Also this patch:
> * fixes bug 4529: !EBIT_TEST(entry->flags, ENTRY_FWD_HDR_WAIT)
> assertion in FwdState.cc.
>
> * when splicing transparent connections during SslBump step1, avoid
> access-logging an extra record and log %ssl::bump_mode as the
> expected "splice" not "none".
>
> * handles an XXX comment inside clientTunnelOnError for possible
> memory leak of client streams related objects
>
> * fixes TunnelStateData logging in the case of splicing after peek.
>
> This is a Measurement Factory project.
More information about the squid-dev
mailing list