[squid-dev] Changed SSL bump event ordering

Steve Hill steve at opendium.com
Mon Sep 18 16:44:07 UTC 2017 

I'm not sure when this changed - more debugging tomorrow but I thought 
I'd post what I've found so far in case anyone has any input.

When peek/splice was first introduced, as far as I remember it worked 
like this (for transparently proxied connections):

1. Connection is accepted.
2. The ssl_bump ACL is checked for step 1 (my config produces a "peek" 
result).
3. The TLS session is peeked.
4. A fake CONNECT is produced containing the host name from the peeked SNI.
5. The spoof_client_ip, http_access, adaptation_access and cache ACLs 
are checked.
7. ICAP REQMOD callout
6. The ssl_bump ACL is checked for step 2.


Testing with Squid 3.5.26, this event order has changed, moving the 
peeking process until later:

1. Connection is accepted.
2. ssl_bump ACL is checked for step 1 (returning "peek").
3. A fake CONNECT is produced containing the web server's IP address.
4. The spoof_client_ip, http_access, adaptation_access and cache ACLs 
are checked.
5. The TLS session is peeked.
6. The ssl_bump ACL is checked for step 2.
(The ICAP REQMOD callout no longer seems to happen)


This means the peeked SNI is no longer available when processing the 
majority of ACLs.  The upshot is that:
1. http_access ACL rules can only operate on the IP address, rather than 
the SNI.
2. The http_access ACL produces an HTTP response (e.g. a 302 redirect), 
Squid has to bump the connection.  Since the connection hasn't yet been 
peeked, the forged certificate contains the server's IP address rather 
than host name and the browser displays a security warning.


Looking at the code, client_side.cc:ConnStateData::fakeAConnectRequest() 
still contains the code to insert the SNI into the fake CONNECT:
     if (serverBump() && !serverBump()->clientSni.isEmpty()) {
         connectHost.assign(serverBump()->clientSni);
         if (clientConnection->local.port() > 0)
             connectHost.appendf(":%d",clientConnection->local.port());

However, this happens long before the connection is actually peeked.

I've not tested non-transparent mode yet.  Am I missing something or has 
this all changed at some point?

-- 
  - Steve Hill
    Technical Director
    Opendium    Online Safety / Web Filtering    http://www.opendium.com

    Enquiries                 Support
    ---------                 -------
    sales at opendium.com        support at opendium.com
    +44-1792-824568           +44-1792-825748

More information about the squid-dev mailing list