[squid-users] HTTPS intercept, simple configuration to avoid bank bumping
Jason Haar
Jason_Haar at trimble.com
Mon Jan 26 21:33:40 UTC 2015
Well the documentation says
# SslBump1: After getting TCP-level and HTTP CONNECT info.
# SslBump2: After getting SSL Client Hello info.
# SslBump3: After getting SSL Server Hello info.
So that means SslBump1 only works for direct proxy (ie CONNECT)
sessions, it's SslBump2 that peeks into the traffic to discover the
client SNI hostname. So I think you actually need (I'll use more
descriptive acl names and comment out those that I think don't add any
value)
acl domains_nobump dstdomain "/etc/squid/domains_nobump.acl"
#no added value: acl DiscoverCONNECTHost at_step SslBump1
acl DiscoverSNIHost at_step SslBump2
#don't use - breaks bump: acl DiscoverServerHost at_step SslBump3
#no added value - in fact forces peek for some reason: ssl_bump peek
DiscoverCONNECTHost all
ssl_bump peek DiscoverSNIHost all
ssl_bump splice domains_nobump
#DiscoverSNIHost should now mean Squid knows about all the SNI details
ssl_bump bump all
Sadly, this doesn't work for me *in transparent mode*. Works fine when
using squid as a formal proxy, but when used via https_port intercept,
we end up with IP address certs instead of SNI certs.
We really need someone who knows more to tell us how to make this work :-(
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150127/3a2a7c1d/attachment.html>
More information about the squid-users
mailing list