[squid-users] Skype bypass using ssl_bump peek

Amos Jeffries squid3 at treenet.co.nz
Fri Dec 12 10:25:46 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/12/2014 10:31 p.m., Yu-Hsuan Liao wrote:
> Hello everyone,
> 
> I'm trying to using Squid 3.5's new feature peek-and-splice to
> bypass Skype connection I'm a little confused about ssl_bump
> steps, the wiki says that
> 
> peek Receive client (step SslBump1) or server (step SslBump2) 
> certificate while preserving the possibility of splicing the 
> connection.
> 
> My question is: does ssl_bump make decision to bump or splice
> connection when Squid gets the ServerHello message?
> 
> cos I found that Skype voice connection is first
> 

a) ssl_bump called (step 1) to decide what to do with no info but TCP
packet details available.

> 1. client send Client Hello

b) ssl_bump called again (step 2) to decide what to do with only
client and TCP details available.

> 2. server send Server Hello

c) ssl_bump called again (step 3) to decide what to do with all
client, server and TCP details available.

> 
> then began the skype data payload transmit(non-SSL format, not the 
> rest SSL handshake)
> 
> so that I still got the "Error negotiating SSL connection on FD" 
> message in cache.log
> 
> Does peek-and-splice function cover above situation, or I just 
> misunderstand the usage of ssl_bump peek?
> 

Not if you nee dto wait for the Skype payload before deciding what to
do during the bumping process.
If the TLS hello from either end included ALPN or a useful SNI value
they might be used to determine a step during bumping. Though I dont
think Squid acts on ALPN values yet.


> my squid ver. is 3.5.0.3
> 
> squid.config setting is
> 
> acl skype_list dstdomain "skype_list" ssl_bump peek skype_list 
> ssl_bump stare all
> 

Only if "skype_list" matches the TCP packet IP address (without rDNS
being looked up) will the peek happen.

I think you need to add at_step ACL test to peek always at step1, then
do the other actions at step2 once SNI (domain name) is possibly
available.

Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUisKqAAoJELJo5wb/XPRjNasIAOKpSpii9cuB1u3khGuADMKF
QQpyWrPYoJ4jG1HZRYz+w4SEkRYyDVqv16FA8o6/Pgbxknie/GRgqAdUAxF8iTAk
t96kDd9O8Futr/67iK/a7ry3ejW+IA4siJuZIpTl1FGx1Ku8W1I1lEOdjcJIJRSe
NfPmVc/ok6v9sKXmoTbbcMoG5YzBLE+g/LM5HQywMmTs0FMzrtgrfd6OTU+phV+Z
dkDGYo2pcKWjYuT+KXP3jw6Z37rENH4GxpKKHWXuzV3tvSpc30ACBxZ3Lk8N5417
1G9IcmDJoPoz7JBQMH+CVgtCMBJaEhtcodZkzCxvSejacMewu5N1oDKbRtaCGaM=
=D4zK
-----END PGP SIGNATURE-----

More information about the squid-users mailing list