[squid-users] Skype bypass using ssl_bump peek

Amos Jeffries squid3 at treenet.co.nz
Wed Dec 17 12:13:22 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 17/12/2014 10:52 p.m., Yu-Hsuan Liao wrote:
>> Only if "skype_list" matches the TCP packet IP address (without 
>> rDNS being looked up) will the peek happen.
> 
>> I think you need to add at_step ACL test to peek always at
>> step1, then do the other actions at step2 once SNI (domain name)
>> is possibly available.
> 
> Hello Amos,
> 
> What if a non-SSL over 443 or a non-HTTP over SSL connections?

The peek at step1 should be detecting that non-TLS/SSL is occuring.

For the non-HTTP over TLS/SSL... IF you bumped it Squid can still
fallback to tunnel I think, but a slower way than splice normally
would. A few people are indicating problems or weirdness with how
serverHello is handled so YMMV.


NP: this is all brand new complicated functionality and I'm not the
author/designer. So reality may differ a bit from what I understand of
it all.


> Skype voice connection seems an non standard SSL 
> negotiation(Partial Handshake), is it possible revert to tunnel 
> mode at steps to bypass connection?
> 

As long as you are able to determine whether to do splice and Squid
has not yet auto-generated anything that got sent out, then you should
be able to.
 If Squid has sent anything over the wire that was generated by Squid
(bumping) the only choices left are continue with bump or reject/abort.

Amos

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUkXNaAAoJELJo5wb/XPRj2awH/2o+zdYmKSht6T+4NnlexI4y
fKEY+9v1jP8+ugFzcpuEu9AeOLN8JZZf1lC+uVBeRDyZD7XGRiY4DuAW4dJle9Mk
ythFOp1WIU4JWa9+FjQv4fpR3ua1t5JljVfyHZRxXBOMZTYs9E9cMdE4wsCW5TBa
7P8dGpfHXKFDyJNhtJEZO2rG8w4cUiVn9L33ZBkYcysTeAQdZdc70jRdpJndLOiA
yeR8C7FGMtDyQ207QXIimrVhhas8gRWFn2bhG9i5JbCYzpS4TLb3XHQm1KUR+Kvn
V0aXkS576MuoJOb46LnQEznm7cL8AJeri7GYGo2FxwH2MWeGTmYoPEeIZ+jkikE=
=sRS7
-----END PGP SIGNATURE-----


More information about the squid-users mailing list