[squid-users] ssl_bump for specific dstdomain

Daniel Greenwald dig at digcorp.net
Fri Mar 27 15:34:00 UTC 2015


here is a python helper I wrote with help of previous posts. It takes
sni info from squid and returns OK if the domain is in
/etc/squid/domains_nobump.acl (I am not a coder..) Problem is it works
good for intercepted browser traffic but doesn't work when a user
tries to use an app on an eg android device. In my cache.log I get:
 error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca

It seems Squid doesn't send SNI info before the error shows up in
cache.log and the app barfs. I'm guessing the app is detecting the
SSLBump before squid is able to grab the SNI. Does this makes sense?
Any ideas to move this forward?


#!/usr/bin/python
import sys
import string
lines = [line.strip() for line in open('/etc/squid/domains_nobump.acl')]

while True:
    req = sys.stdin.readline()
    req = req.strip()
    if not req:
        break

    try:
        id, sni = req.split()
        sys.stderr.write('request %r\n' % req)
        sys.stderr.flush()
        for line in lines:
            if line.startswith('.'):
                if string.find(sni,line,len(sni)-len(line)) != -1 or
sni == line.lstrip('.'):  # bypass
                    sys.stdout.write('{} OK\n'.format(id))
                    sys.stdout.flush()
                    break
            else:
                if sni == line:
                    sys.stdout.write('{} OK\n'.format(id))
                    sys.stdout.flush()
                    break

        else:
            sys.stdout.write('{} ERR\n'.format(id))
            sys.stdout.flush()
    except:
        sys.stderr.write('SNICHECK INPUT: %r\n' % req)


squid.conf:

external_acl_type sni ttl=30 concurrency=60 children-max=3
children-startup=1 %ssl::>sni /usr/lib64/squid/snicheck.py
acl sni_nobump external sni
ssl_bump splice sni_nobump
ssl_bump peek step1 all
ssl_bump bump step2 all
-----------
Daniel I Greenwald




On Fri, Mar 13, 2015 at 5:04 AM, Amos Jeffries <squid3 at treenet.co.nz> wrote:
> On 13/03/2015 6:39 p.m., Yuri Voinov wrote:
>>
>>
>> 13.03.15 2:37, Mukul Gandhi пишет:
>>> On Thu, Mar 12, 2015 at 11:04 AM, Yuri Voinov <yvoinov at gmail.com>
>>> wrote:
>>
>>> You only have external helper (which is must wrote yourself) in
>>> 3.4.x.
>>
>>
>>>> Are there any examples that I can look at to implemented this
>>>> external helper for doing selective ssl_bumps. And what would
>>>> this helper script do anyways? All we have is the destination IP
>>>> address which is not really going to give us the actual HTTP
>>>> hostname.
>> Yes and no. There is one third-party helper in list archives, written
>> on python. No one of this including in squid distribution.
>>
>>
>>> Works with domains in ssl bump fully available at least 3.5.x
>>
>>
>>>> Does the 3.5.x implementation decrypt the whole payload and then
>>>> do the ssl_bump? The "peek" option seems to imply that only the
>>>> HTTP headers are peeked at.
>> Of course. As by 3.4.x. The difference is only with mechanisms.
>
> And no at the same time. HTTP message headers inside the encryption are
> encrypted and unavailable until after the decryption is decided (bumped).
>
> What gets peeked at is the TLS ClientHello and TLS ServerHello details.
> SNI may become available by peeking when raw-IP was all that was in the
> HTTP CONNECT message or intercepted TCP packets.
>
> You can then use those non-private TLS details to decide between reject,
> splice (pass-thru) or bump (decrypt) for the encrypted HTTPS data.
>
>
>>
>>>> I guess what I am asking is, is there any way we can do this
>>>> without actually decrypting the payload?
>> 3.5.x peek-and-splise functionality do bump splitted by stages.
>> Against 3.4.x, which is makes bump in one stage.
>>
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users


More information about the squid-users mailing list