[squid-users] 3.5.8 — SSL Bump questions

Amos Jeffries squid3 at treenet.co.nz
Wed Sep 9 05:52:38 UTC 2015


On 9/09/2015 8:42 a.m., James Lay wrote:
> On 2015-09-08 02:32 PM, Alex Rousskov wrote:
>> On 09/08/2015 02:18 PM, James Lay wrote:
>>
>>> I'm currently having great success with 3.5.8 and this
>>> peek/splice only method using transparent intercept:
>>>
>>> ###############################
>>> acl step1 at_step SslBump1
>>> acl step2 at_step SslBump2
>>> acl step3 at_step SslBump3
>>>
>>> ssl_bump peek step1 all
>>> ssl_bump peek step2 all
>>> acl allowed_https_sites ssl::server_name_regex
>>> "/opt/etc/squid/http_url.txt"
>>> ssl_bump splice step3 allowed_https_sites
>>> ssl_bump terminate all
>>> ###############################
>>
>>
>> Bugs notwithstanding, the above can be further simplified (in v3.5.8 and
>> later):
>>
>>  acl allowed_https_sites ...
>>  ssl_bump peek all
>>  ssl_bump splice allowed_https_sites
>>  ssl_bump terminate all
>>
>>
>> HTH,
>>
>> Alex.
> 
> Hey thanks Alex...I will give that a test with 3.5.8.  I also recall in
> earlier builds that "ssl_bump peek all" only matched SNI, but did not
> match the cert subject, which is why I forced it with peeking at step1
> and step2.  Thanks again.
> 

Prior to 3.5.8 a "peek all" would have matched at step3 and caused weird
things to happen later.

As of 3.5.8 it is ignored properly and the splice gets to check the
server cert. Alex suggested config should work identically to yours.

Amos


More information about the squid-users mailing list