[squid-users] Skype+intercept+ssl_bump

[Marcus Kool]

On 07/30/2016 04:21 PM, Alex Rousskov wrote:
*snip*

> Update: The question still stands, but we now know more about what
> happens if the on_unsupported_protocol bug (in code and/or
> documentation, depending on how you look at it) discussed above is
> fixed: Squid then starts tunneling traffic as it is told by the
> on_unsupported_protocol directive, but forgets to use the existing
> encrypted connection to the server and opens/uses a new Squid-to-server
> unencrypted connection instead.
>
> Thus, the patch I posted previously does not solve the known Skype
> groups/MSNP problem -- it only exposes the next (and bigger!) obstacle
> on the way to that solution.
>
> We are working on supporting/fixing tunneling of bumped connections, but
> feedback regarding request counting check question above is still welcomed.
>
>
> Thank you,
>
> Alex.

I am using squid-4.0.13-20160819-r14813 and have observed the following
with transparent intercept:
1) skype (on windows10) login fails, access.log contains
    "CNT error:invalid-request HTTP/1.1" 400 3705 NONE:HIER_NONE -
2) whatsapp (on Android) fails, access.log contains
    "NONE error:transaction-end-before-headers HTTP/0.0" 0 0 NONE:HIER_NONE -
    "' error:invalid-request HTTP/1.1" 400 3705 NONE:HIER_NONE -
3) Samsung (monitoring?) app on my Samsung smartphone:
    "CONNECT 54.76.6.24:80 HTTP/1.1" 403 3775 TCP_DENIED:HIER_NONE Host:%2054.76.6.24:80%0D%0A
    "NONE error:invalid-request HTTP/1.1" 400 3705 NONE:HIER_NONE -

TCP_DENIED in 3) is OK since the app connects on port 80 and this port is
not in SSL_ports, but the error message "invalid-request" on the next line
is misleading.

If you need a cache.log with debug ALL,9 I can provide one.

The ssl-bump rules on my server are:
acl tls_s1_connect at_step SslBump1
acl tls_to_splice complex-acl-but-does-not-matter-what-it-has
ssl_bump peek   tls_s1_connect
ssl_bump splice tls_to_splice
ssl_bump stare  all
ssl_bump bump   all

With best regards,

Marcus