[squid-users] HTTPS intercept, simple configuration to avoid bank bumping

Jason Haar Jason_Haar at trimble.com
Tue Jan 27 21:02:35 UTC 2015


I might have found something

Turning up debugging shows that squid is learning the SNI value from an
intercepted/transparent HTTPS session (or is it learnt from the server
response?)

2015/01/28 09:23:34.328 kid1| bio.cc(835) parseV3Hello: Found server
name: www.kiwibank.co.nz

Looking that up in the source code, it's from bio.cc. However the same
file implies I should also be seeing the SNI debug line:

#if defined(TLSEXT_NAMETYPE_host_name)
    if (const char *server = SSL_get_servername(ssl,
TLSEXT_NAMETYPE_host_name))
        serverName = server;
    debugs(83, 7, "SNI server name: " << serverName);
#endif


On my test Ubuntu 14.04 laptop with squid-3.5.1 and openssl-1.0.1f,
TLSEXT_NAMETYPE_host_name is defined in /usr/include/openssl/tls1.h, so
that should cause that debug line to be called - but it isn't?

I also confirmed with wireshark that my Firefox browser was generating a
SNI (although it took me a few minutes to realise I have to sniff port
3129 [which I redirected 443 onto] as well as 443 to get the full tcp
session)

-- 
Cheers

Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1



More information about the squid-users mailing list