[squid-users] SSL Peek-n-Splice and exclusions by SNI
Nathan Hoad
nathan at getoffmalawn.com
Mon Mar 9 04:52:31 UTC 2015
Hi folks,
I'm playing with 3.5.2 and Peek-n-Splice, I was wondering if it's
actually possible to exclude requests based on the SNI host and have
Squid still bump correcty. I've been trying with this configuration,
using a simple external acl:
https_port 60443 intercept ssl-bump cert=/path/to/inspectcert.pem
key=/path/to/inspectkey.pem generate-host-certificates=on
external_acl_type sni ttl=30 concurrency=60 children-max=3
children-startup=1 %ssl::>sni /usr/libexec/bumphelper
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
acl sslbump_exclusions external sni
ssl_bump peek step1 all
ssl_bump splice step2 sslbump_exclusions
ssl_bump bump all
Where bumphelper is a very simple Python script:
while True:
req = sys.stdin.readline()
if not req:
break
id, sni = req.split()
sys.stderr.write('request %r\n' % req)
sys.stderr.flush()
if sni == 'google.com': # bypass
sys.stdout.write('{} OK\n'.format(id))
sys.stdout.flush()
else:
sys.stdout.write('{} ERR\n'.format(id))
sys.stdout.flush()
The result I'm seeing is that requesting "https://youtube.com" gets
inspected as it should, but "https://google.com" results in a
handshake error, when it should have been bypassed, like so:
[~]# openssl s_client -connect google.com:443 -servername google.com
CONNECTED(00000003)
140086124283808:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 268 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
So what am I missing? It's very hard to find documentation about this,
so I might put this up on the wiki as an example once it's sorted.
Cheers,
Nathan.
More information about the squid-users
mailing list