[squid-users] Assistance with knowing what I'm really trying to do

Amos Jeffries squid3 at treenet.co.nz
Mon Nov 3 12:56:20 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 4/11/2014 1:39 a.m., James Lay wrote:
> On Mon, 2014-11-03 at 17:22 +1300, Amos Jeffries wrote:
>> On 3/11/2014 11:12 a.m., James Lay wrote:
>>> A weird question....I guess I need to find out exactly what
>>> I'm wanting before going further with trying to get peek to
>>> work.  So here's a small example of what I currently have.
>>> From my .conf file:
>>> 
>>> acl broken_sites dst 23.192.0.0/11 http_access allow
>>> broken_sites ssl_bump splice broken_sites
>>> 
>>> logformat common %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs
>>> %<st %Ss:% Sh %ssl::>cert_subject
>>> 
>>> This currently works (no cert_subject though)...log entry
>>> shown:
>>> 
>>> Nov  2 14:23:24 gateway (squid-1): 192.168.1.102 - - 
>>> [02/Nov/2014:14:23:24 -0700] "CONNECT 23.211.233.155:443
>>> HTTP/1.1" 200 4229 TCP_TUNNEL:ORIGINAL_DST -
>> 
>> The TCP_TUNNEL tag shows that no bumping was done. Thus no
>> details from inside the TLS transaction are available.
>> 
>> "ssl_bump splice" means the same as "ssl_bump none" ... use the 
>> non-bumped CONNECT handling.
>> 
>> 
>>> 
>>> Now this is required as the above will not function if bumped.
>>> 
>>> At work, we use a commercial proxy which we do not use any ssl
>>>  inspection.  These connections show up as, for example:
>>> 
>>> tcp://www.whateversite.com  TCP_DENIED
>>> 
>>> And that's what I'm hoping to achieve here...determine what
>>> the site is, and allow or denied it, without having to actually
>>> do any SSL inspection.  Will peek/stare accomplish this?  Or am
>>> I restricted to bump/inspection only, which for a fair amount
>>> of sites (facebook, instagram, google mail, etc) does not
>>> work. Thanks all...I appreciate any advice.
>> 
>> That depends on how you define "SSL inspection". If the TLS
>> details are not inspected with peek - then the details you want
>> will not be available. You can see that in the above example.
>> 
>> The ssl_bump access controls are now tested repeatedly in a
>> series of "steps" with the first matching action which is valid
>> at the step being performed. So I suspect the only working
>> configurations will use the at_step ACL type to restrict where
>> the rest of the tests will be performed.
>> 
>> If you look at the documentation for that ACL it shows the steps
>> are only before/after the client and server Hello messages.
>> 
>> I think you want to peek at step SslBump1 and splice at step
>> SslBump3. Or maybe peek at step 1 and 2 then splice at 3.
>> 
>> Amos _______________________________________________ squid-users
>> mailing list squid-users at lists.squid-cache.org 
>> http://lists.squid-cache.org/listinfo/squid-users
> 
> Thanks Amos.....looks like peek/splice is where this is going, so
> I'll continue this new information of at_step acl in my other
> thread.

It seems Christos has chimed in on the other thread. He is the
ssl-bump author, so take whatever he says as basis.

Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUV3t0AAoJELJo5wb/XPRjQSgH/R/aeir6MVXtF1IRbu6TxkAN
Yl6N3e8rLWXaXrFup22tvu9/sjynqaQdblSbO+VZEU84t49Pc5z2CSFW3mdFzOlF
JSDXV+LyPjgmux8muOfbjq/cfxzfGTRNjLfzJLQEV8XoYaFYGzB4VUvy4HeoYk9Q
5s/Gv+7/jyy9zdp+3hcfEWp04X2AMnDvZNcSzbKb7oC/ztEnAF0kysdwtXKDigO/
S2TgIHxg2iXX9SRcgj6SnCOOVtyqsFYBTH2AhFMfScUAIgVUvr7chU6gxWOeAJVV
h9rCvm8wqF42UHNNg/abmIurUvkTFaUxMM3OeYi/oaWInjBR+fN/2e15WtL5X8U=
=Q4Mo
-----END PGP SIGNATURE-----


More information about the squid-users mailing list