[squid-users] sslBump adventures in enterprise production environment

Alex Rousskov rousskov at measurement-factory.com
Sun Nov 15 22:31:42 UTC 2015 

On 11/15/2015 01:00 PM, Yuri Voinov wrote:
> 16.11.15 1:39, Alex Rousskov пишет:
>>     Squid currently supports two kinds of CONNECT tunnels:

>> 1. A regular opaque tunnel, as intended by HTTP specifications.

>> 2. An inspected tunnel containing SSL/TLS-encrypted HTTP traffic.

>> Opaque tunnels are the default. Optional SslBump-related features allow
>> the admin to designate admin-selected CONNECT tunnels for HTTPS
>> inspections (of various depth). This distinction explains why and when
>> Squid expects "HTTPS inside".

>> There is currently no decent support for inspecting CONNECT tunnels
>> other than SSL/TLS-encrypted HTTP (i.e., HTTPS) tunnels.

>> Splicing a tunnel at SslBump step1 converts a to-be-inspected tunnel
>> into an opaque tunnel before inspection starts.

>> The recently added on_unsupported_protocol directive can automatically
>> convert being-inspected non-HTTPS tunnels into opaque ones in some
>> common cases, but it needs more work to cover more cases.


>> AFAICT, you assume that "splicing" turns off all tunnel inspection. This
>> is correct for step1 (as I mentioned above). This is not correct for
>> other steps because they happen after some inspection already took
>> place. Inspection errors that on_unsupported_protocol cannot yet handle,
>> may result in connection termination and other problems.


>> If Squid behavior contradicts some of the above rules, it is probably a
>> bug we should fix. Otherwise, it is likely to be a missing feature.


>> Finally, if Squid kills your ICQ (non-HTTPS) client tunnels, you need to
>> figure out whether those connections are inspected (i.e., go beyond
>> SslBump step1). If they are inspected, then this is not a Squid bug but
>> a misconfiguration (unless the ACL code itself is buggy!). If they are
>> not inspected, then it is probably a Squid bug. I do not have enough
>> information to distinguish between those cases, but I hope that others
>> on the mailing list can guide you towards a resolution given the above
>> information.

> I do not think it's killing them. It looks like an outgoing connection
> goes to the server, and then silence - of the reaction in the log is not
> there. Client hangs waiting for a response from server.


Same difference. "Killing" == "breaking" == "preventing from working
correctly" in this context.


Alex.

More information about the squid-users mailing list