[squid-users] SSL Peak and Splice
Casey Daniels
mailinglist at cd.kcfam.net
Thu May 14 23:15:48 UTC 2015
On 05/14/2015 12:37 AM, Amos Jeffries wrote:
>> Yes the second option, not the particular machine, but the FQDN
>> (i.e.<http://www.cooking.com> )
>
> # get TLS SNI details etc
> ssl_bump peek all
>
> # some get rejected
> acl blocked ssl:server_name .example.com
> ssl_bump reject blocked
>
> # the rest allowed without decrypting
> ssl_bump splice all
>
>
>> When is the TLS SNI information made available by the client?
> They send it or they dont. Nothign you or we can do about it.
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
One Follow up question.
You said "They send it or they don't. Nothing you or we can do about
it." Are you referring to that we don't have control if they send it or
not, or there is nothing we can do if they don't?
My question is, is there some way to either reject the conection, or do
a full SSL bump the connection for further examnation if the TLS SNI
information isn't present? From my understanding all modern browsers
should be sending the TLS SNI information, and the SSL fallback has been
disabled by default on them except for Windows IE. So blocking
connections that fail to give TLS SNI information doesn't appear to be a
problem except for people using outdated devices.
Casey
More information about the squid-users
mailing list