[squid-users] Squid 3 SSL bump: Google drive application could not connect

Chris Bennett chris at ceegeebee.com
Thu Jan 8 05:41:57 UTC 2015


Interesting thread so far.  Has anyone thought of using Bro-IDS as a
feedback loop for some of this advanced logic for bypassing bumping?
Bro performs passive reconnaissance, generates very useful logs for
any payloads it can decode, and is extendable.

e.g. ssl.log may contain something like this for a mail.google connection (it's
usually TSV, I've added headers for readability)

ts                    1420695401.142980
uid                   CPy8RndJtKO7AWuba
id.orig_h             10.0.3.54
id.orig_p             49471
id.resp_h             216.58.220.101
id.resp_p             443
version               TLSv10
cipher                TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
server_name           mail.google.com
session_id            b9be0d07db3c10511d673d8537c7809eddbee60a6601a7a23f67d97ab23fc6e8
subject               CN=mail.google.com,O=Google Inc,L=Mountain View,ST=California,C=US
issuer_subject        CN=Google Internet Authority G2,O=Google Inc,C=US
not_valid_before      1418172300.000000
not_valid_after       1425907800.000000
last_alert            -
client_subject        -
client_issuer_subject -
cert_hash             7081464425ab98aef8f5818ebd40fec9
validation_status     ok

I like the active external acl solution since it meets a need, but
there is overhead.  I'm not quite sure what Bro logs for non-HTTPS
443 traffic, but I thought I'd chime in with the above idea if anyone
wants to expand on it further :)

Regards,

Chris


More information about the squid-users mailing list