[squid-dev] Introduction / SslBump upstream ssl proxy support

Amos Jeffries squid3 at treenet.co.nz
Tue Aug 1 09:42:58 UTC 2017 

On 21/07/17 01:11, Mihai Ene wrote:
> Hello,
> 
> I'm a developer with higher level languages experience very little 
> commercial c++ development on my hands.
> 
> I've been following the SslBump feature for a while now, and this 
> includes source code changes. SslBumping with upstream proxies was 
> completely restricted when bug 3209 was patched in 2011, however, I 
> believe the patch is too restrictive. I agree with Amos's statement that 
> a plaintext information leak is highly unsafe, but the patch also 
> prevents ssl upstream proxies usage.
> 

Hi Mihai,

That bug was 6 years ago, and the comments were specifically about using 
plain-text peer connections. The patch was made to cover all parent 
peers because ...

The problem Squid still has with SSL/TLS peers is not that they leak 
info (they are contacted using TLS after all). It is that explicit-TLS 
proxies use their own certs instead of mimic'd ones so they present 
Squid with a cert other than the origin server cert. That has 
side-effects at the child proxy where bumping cannot mimic the origin 
cert details, and SSL-Bump ends up presenting a clearly invalid cert 
which reasonable clients reject.

In order for the bumping to work without user-visible issues at present 
the best way is for the child proxy to go to its DIRECT or ORIGINAL_DST, 
then get re-intercepted into the parent and re-bumped there. Such that 
the parent mimics the origin cert and it gets to the child proxy, then 
the client.


> In order to prevent plaintext and still use upstream proxies, I propose 
> the following changes (tested in intranet, in production) which enable 
> upstream proxies after ssl bumping, as long as the proxies are ssl 
> themselves:
> 
> - version 4.x 
> https://github.com/randunel/squid4/commit/c91995833370771f9903b374f17a0d774643c2b3
> - version 3.5.x 
> https://github.com/randunel/squid3/commit/a72a47cf0d54bf17faefcfe7692182d82d6520ab
> 

FYI: we are now using github PR system as the only way to accept changes 
to Squid.

Can you please do your submission as a PR request against the 
https://github.com/squid-cache/squid repository master branch. It needs 
to be accepted there before PR against the beta and stable branches code 
will be considered (in that order).

Thank you
Amos

More information about the squid-dev mailing list