[squid-users] ssl_bump newbie troubles

Alex Rousskov rousskov at measurement-factory.com
Wed Apr 20 15:38:06 UTC 2016


On 04/20/2016 08:16 AM, Odhiambo Washington wrote:

> I even wonder if this config is correct:
> 
> acl ssl_bump_broken_sites  dstdomain ...
> ssl_bump none ssl_bump_broken_sites
> ssl_bump peek step1
> ssl_bump stare step2
> ssl_bump bump all

You did not say what you want Squid to do, so it is difficult to say
whether the config is correct. However, the following combinations look
strange to me:

* old "none" and new "peek" actions; use "splice" instead of "none"
* sometimes contradictory "peek" and "stare" actions; pick one kind
* sometimes contradictory "peek" and "bump" actions; if you intend to
bump, use "stare"

Also, you may want to use ssl::server_name ACL instead of dstdomain.
Remember that Squid may have no domain information until it is too late
to splice. Here is a polished config that may or may not do what you want:

  # Bump aggressively, including discovered-too-late broken_sites:
  acl ssl_bump_broken_sites ssl::server_name ...
  ssl_bump splice ssl_bump_broken_sites
  ssl_bump stare all
  ssl_bump bump all


> I had to import my CA to all devices (as a trusted CA) on
> the network so that they don't get the MITM notification. [...] People
> don't like intrusive changes.

"ssl_bump bump" implies intrusiveness. You need to decide whether
bumping connections is important enough to be intrusive. The alternative
is passive monitoring/splicing that does not require intrusive changes
but gives you less control. Pick your poison.

Alex.



More information about the squid-users mailing list