[squid-users] problem with some ssl services

Jason Haar Jason_Haar at trimble.com
Wed Jun 17 06:52:31 UTC 2015


On 15/06/15 11:58, Amos Jeffries wrote:
> Ensure that you are using the very latest Squid version to avoid
> problems with unsupported TLS mechanisms. The latest Squid will also
> automatically splice if its determined that the TLS connection cannot be
> bumped.
Is that supposed to be in 3.5.5? I just noticed a problem with bumping
that came down to the
web server requiring client cert validation and squid-3.5.5 failed to
splice - so it failed going through bump
(as you'd expect).

I guess I'm asking if this new "SSL determination" includes detecting
client certs, because that would be a
good one to detect if possible?

Now that I think of it, that might be a mugs game. The site I'm
referring to had a "SSLVerifyClient optional"
on a subdirectory - so it's probably quite unfair to expect a TLS
Intercept to "magically" know what encrypted
urls it can fiddle with and what ones it can't ;-) Hmmm, OTOH maybe  if
squid decides a server is asking
for even optional client certs, that it declares the entire SNI to be
splice instead of bump - frankly I'd live with
that (ie it might start out bumping, but then flick to splice on the
first bit of evidence that some part needed
client certs - even optional)

-- 
Cheers

Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1



More information about the squid-users mailing list