[squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/
Alex Rousskov
rousskov at measurement-factory.com
Wed Sep 30 00:07:04 UTC 2015
On 09/29/2015 05:02 PM, HackXBack wrote:
> i dont know, but if connection cant bump .. if connection cant established ,
> then squid bypass this connection directly ...
> this is how ...
The pinning client (not Squid!) decides that the [successfully bumped
from Squid point of view] connection is insecure and terminates it.
When the pinning client terminates its bumped connection to Squid, it is
too late for Squid to establish a spliced connection to the origin
server -- the client is already done talking to Squid as far as this
transaction is concerned...
Moreover, there is so little information about the client available to
Squid at the bumping decision point, that I doubt Squid can "learn" to
recognize similar client connections in the future and avoid bumping
them again (unless you are willing to tolerate lots of false positives
and, hence, splice a lot of traffic from non-pinning clients).
Said that, if somebody can build a good fingerprinting algorithm for
pinning clients, you would be able to configure Squid to splice their
connections.
Alex.
More information about the squid-users
mailing list