[squid-users] Correctly implementing peak-splice

Christos Tsantilas christos at chtsanti.net
Wed Nov 5 10:24:24 UTC 2014 

On 11/04/2014 02:26 PM, James Lay wrote:
>
> Thanks a bunch Christos,
>
> That list of IP's is things like apple.com, textnow.me, and windows
> updates...IP's that simply don't bump well.  My setup is a linux box
> that's a router...one NIC internal IP, the other external IP.  Via
> iptables redirect, I'm transparently intercepting the web traffic of a
> few devices, only allowing them access to the list of sites in url.txt.
> At issue with using the broken_sites list, is that I have to just
> specify large chucks of netblocks, which I lose control and visibility
> of.  What I'm really hoping for is for a way for squid to be able to, in
> my case at least, look at either the server_name extension in the Client

You need to build your own external_acl helper which will take as input 
the client sni (server_name extension). Read squid wiki for informations 
about external acl helpers:
  http://wiki.squid-cache.org/Features/AddonHelpers#Access_Control_.28ACL.29

It is easy to build one in perl or as a shell script. I am suggesting to 
build an external_acl helper which return "OK" when the sni matches or 
no sni information exist.

You can use the following configuration or similar:
#
external_acl_type EXTACL %ssl::>sni /path-to-my/external-acl-helper.sh
acl EXTACL external EXTACL

acl step1 at_step  SslBump1
acl step2 at_step  SslBump2
acl step3 at_step  SslBump3

# At first step peek all
ssl_bump peek step1 all
ssl_bump splice step2 EXTACL
ssl_bump bump all


> Hello, or, if that's not present, look at the dNSName of certificate
> being sent, check the access against url.txt, and either allow or deny.

In your case the server certificate informations will not work well. At 
the time this information is available:
     1) in peek mode, you can not bump any more
     2) in stare mode, you can not splice any more.
There are exceptions to the above rules (for example in case the client 
uses the same SSL library with squid) but the SSL protocol is enough 
safe to not allow us to make something better than this.

Regards,
    Christos

>
> Ssl_bump does work well for most sites...and I understand we are
> performing a man in the middle attack so it's not supposed to be easy.
> Again my hope isn't really to perform a mitm...more of an access control
> type thing.  Thanks again Christos...I hope I explained this well
> enough.
>
> James
>

More information about the squid-users mailing list