[squid-users] Splicing a connection if server cert cannot be verified

Soren Madsen (DREIJER) sdreijer at microsoft.com
Mon Dec 15 19:11:08 UTC 2014


Hi all,

By default, I want to bump all connections through my Squid instance. However, while testing I've discovered lots of sites that use SSLv3 or self-signed certificates, in which case I'd like to fall back to TLS passthrough mode and let the client decide whether it wants to trust the server or not. In other words, if Squid cannot successfully bump a connection, I don't want to fail the connection, but rather step out of the way and let the client decide what to do.

The ideal solution, I think, would be to optimistically attempt to bump the connection, but if it fails due to e.g. a bad server cert, a new connection can be established with the original client hello.

I was hoping the new peek and splice functionality would be able to help me in this regard:
http://wiki.squid-cache.org/Features/SslPeekAndSplice

As far as I can tell, the 'stare' action is what I'm interested in here although it appears it's not a focus of the current implementation, and the 'peek' action has the following limitation note about 'Peeking at the server often precludes bumping':
"We could teach Squid to abandon the current server connection and then bump a newly open one. This is something we do not want to do as it is likely to create an even worse operational problems with Squids being auto-blocked for opening and closing connections in vein."

I'm confused about this. Couldn't Squid just cache the information about whether it has previously refrained from bumping a connection due to a bad server cert (or other errors) and only check with the server once the cache expires? That should avoid triggering any alarms on the server. 

Maybe I'm misreading the document. I was hoping somebody here on the list could explain to me if I can achieve the above behavior.

Thanks!

/ Soren


More information about the squid-users mailing list