[squid-users] SSL Peak and Splice

Casey Daniels - mailinglist mailinglist at cd.kcfam.net
Thu May 14 07:43:59 UTC 2015


> On May 14, 2015 at 12:37 AM Amos Jeffries <squid3 at treenet.co.nz> wrote:
>
>
> On 14/05/2015 10:47 a.m., Casey Daniels - mailinglist wrote:
> >> On May 13, 2015 at 3:25 AM Amos Jeffries <squid3 at treenet.co.nz> wrote:
> >>
> >>
> >> On 13/05/2015 6:17 a.m., Casey Daniels wrote:
> >>> Hi,
> >>> I've been trying to figure out how to do some web filtering on HTTPs,
> >>> with no really good options given the layout I have. But then I just
> >>> happened to see this feature for Squid 3.5, and was wondering if I'm
> >>> understanding it correctly.
> >>>
> >>> With the Peak and Splice feature, is it possible to run squid in a
> >>> transparent mode for SSL, and check for certain host and either deny the
> >>> connection all together or allow the connection without further
> >>> interference from Squid? Would this be completely transparent without
> >>> adding a trusted certificate from the proxy server to all user devices?
> >>
> >> Depends on how you define "host" and what the TLS ClientHello
> >> information contains.
> >>
> >> If you define "host" in the official standard Internet terminology (a
> >> single machine). Then no its not possible. NAT and "load balancing"
> >> utterly destroyed the ability to determine if the host being spoken to
> >> is the host indicated in the packets.
> >> Case in point is your interceptor - a completely different host to the
> >> one the client sees in its packets. Nothing stops other interceptors
> >> existing upstream from you.
> >>
> >> If by "host" you actally meant FQDN or host *name*. It can be done when
> >> and only when the TLS SNI information is made available by the client.
> >>
> >> Amos
> >>
> >
> > Yes the second option, not the particular machine, but the FQDN
> > (i.e.<http://www.cooking.com> )
>
>
> # get TLS SNI details etc
> ssl_bump peek all
>
> # some get rejected
> acl blocked ssl:server_name .example.com
> ssl_bump reject blocked
>
> # the rest allowed without decrypting
> ssl_bump splice all
>
>
> > When is the TLS SNI information made available by the client?
>
> They send it or they dont. Nothign you or we can do about it.
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
 
Thank You,
Casey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150514/ee8bec88/attachment.html>


More information about the squid-users mailing list