[squid-users] Squid 3 SSL bump: Google drive application could not connect
Yuri Voinov
yvoinov at gmail.com
Mon Jan 5 16:37:34 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Agreed.
I'm expert on shell, not Perl/Python. :)
But will try to make some useful with it.
05.01.2015 22:28, Eliezer Croitoru пишет:
> On 01/05/2015 05:18 PM, Yuri Voinov wrote:
> > We haven't filtering non_HTTP over port-443. Just recognize and
> > pass.
>
> So let's separate security which is one of the goals of squid and
> which some like and other don't.
>
> For now squid 3.4 is stable and 3.5 is in beta and trunk is not for
> the public use.
> In 3.5 there will be present a new feature which called peek and
> splice that can give an interface to squid and the admin which will
> allow the admin to know couple things about the connection from squid
> and specifically first the client TLS request.
> Once squid bumped a connection there are couple steps until the
> connection is fully established between the client and the server:
> - receive the TCP connection from client
> - BUMP server or client FIRST
> - determine what certificate to send to the client based on the server
> initial ssl response
> - fake it
> - send to the client
> - MITM between two tls connections on the proxy while inspecting the
> content in the software layer.
>
> Peek and splice will add another step between the first part to the
> second and which will allow SNI usage.
> All the above is to allow better BUMPING.
> There might be or will be probably an interface that will identify or
> will try to identify inside the current stages of the connection
> bumping if the connection is indeed a TLS or another one.
> The first step of peek and splice can identify if the connection from
> the client side has started using a valid TLS\SSL headers.
>
> Leaving all the BUMPING yes or no You(Yuri) need a very specific tool
> or want a very specific tool.
> The basic interface of the external_acl can provide enough data on the
> connection in order to enforce some rules.
> You can either use the client IP address or just the destination IP
> and PORT.
>
> I cannot speak for the squid project but I am almost sure that the
> squid project will not provide you with an official helper and will
> not support it.
> However squid external_acl is there especially to help others achieve
> what they want using a variety of parameters from squid internals.
> The external_acl interface provides internal caching which supports
> caching ttl with different values for the two options either allow(OK)
> or DENY(ERR).
>
> My suggestions stays, don't use sqlite if possible.
> There is a sketch for a helper like you seems to want.
> Take the glove and write a pesudo code for the helper idea based on
> the assumptions:
> - There is a DB which can store timestamps, ip, port, result of test, etc
> - There is a way to check if the certificate is valid and the server
> works with TLS\SSL
> - There is no way for the helper to know that a certificate is pined
> - There is a way to add static records to the DB(web interface, cli)
> - All the requests will come from the proxy IP address and can by some
> be identified as an attack.
> - ufdbguard does not provide your needs since it uses url_rewrite
> interface and doesn't have the needed functionalities for you.
>
> The best I have seen until now was the python helper.
> If in couple(4-5) month nobody will do something with this I will see
> then what can be done with this if at all.
>
> Elizer
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBAgAGBQJUqr3NAAoJENNXIZxhPexG5UoIAKxANAcs77iuSQlNOmbO9D4B
xip3QbFhug2/LayR+Wa1Vd3UBUfkSUUdvvqedXRc6KKfCqxa5BECTYSpM0qT/L+h
WasstLpV/Mm2seYRK/CUJbmAJDps6mAgB8MdU1Kq9XWUVYGuGHXnWa220sU/TuhW
wD55VRDScX7cELOQyv4kCr/3mqobLD0KLAMwpDwtxel88eE9NYFW1OcIyM2XHtJd
ouY/hM6sAlYusXITrQrbOy7Sw5yT6DjY+sm6NYx7NCpDyKZTZemU0QVN9hEG6H0s
AmPi0m3OedUAmh83rXMS47+GyzIq3yxIqe52qOsFSsA5PoK/l93zqRivvUUTxyQ=
=sq3n
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150105/fde093b7/attachment-0001.html>
More information about the squid-users
mailing list