[squid-users] can't get bump to work anymore on 3.5.7?

Alex Rousskov rousskov at measurement-factory.com
Wed Aug 19 15:36:38 UTC 2015


On 08/19/2015 04:09 AM, Jason Haar wrote:

> So is there no way to get the SNI field from the client without breaking
> the opportunity for bump?

SNI is obtained during step #1. Peeking during step #1 does _not_
preclude future bumping.

If you want to get SNI and bump, then peek at step #1 and bump at the
next step (i.e., step #2):

  acl step1 at_step SslBump1
  ssl_bump peek step1
  ssl_bump bump !bank


Please note that doing so will give you no knowledge about the SSL
server point of view. All your decisions will be based on what the
client has told you. This is often not a problem because, in most cases,
if the client lied, the [bumped or spliced] connection to the SSL server
will not work anyway. However, if the client supplied no SNI
information, then your "bank" ACL (or equivalent) may not have enough
information to go on, especially for intercepted connections.

If you also peek at step #2, you will know the server certificate, but
you will no longer be able to bump the connection in most cases.


HTH,

Alex.



More information about the squid-users mailing list