[squid-users] Squid 3 SSL bump: Google drive application could not connect
Jason Haar
Jason_Haar at trimble.com
Mon Jan 5 03:19:26 UTC 2015
On 05/01/15 15:44, Eliezer Croitoru wrote:
> A squid helper is nice but... a NFQUEUE helper that can verify if to
> FORWARD or BUMP the connection would be a better suited solution to my
> opinion.
Not sure if you're ignoring the ssl-peek work, but squid still needs to
be able to "peek" in order for squid to know the actual HTTPS server
name the client is connecting to before it's able to call any external
helper/etc. As that involves understanding SSL (which is a huge chunk of
code) - that means it's not appropriate for a kernel solution - it has
to be done at Layer-7 (ie squid - but not some app called by squid as
that's too late to see the data it needs)
eg after hearing how James Harper wrote his own external "https-tester"
script, I've written my own and have been merrily testing it under
squid-3.4.10 (ie not 3.5 with "peek"). In proxy-mode it works great, the
"https-tester" script is passed the DNS name and port, it manually uses
curl to test that to ensure it's a real HTTPS server and returns OK,
else it returns ERR - making squid fall-back on passthrough/splice mode.
That means it can detect non-SSL apps, as well as client-cert protected
HTTPS webservers (which you also have to drop back to splice with - you
can never successfully MiTM a client-cert based SSL session).
However, the moment you try to do transparent https proxy, things break.
In that case, squid-3.4 only sees the destination IP, and "https_tester"
can only try to "curl -k https://ip.add.ress:port/" - which only works
for *some* webservers. A lot have WAFs on them and righteously ditch the
incoming connection when they recognise the client (my script) doesn't
know what their hostname is. eg any HTTPS site using cloudfront.net is
in that category. Of course it still works - but in passthrough mode -
which isn't the outcome we're after.
I'm going to have to look at squid-3.5 ;-)
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the squid-users
mailing list