[squid-users] SSL Bump matching Subject Alternative Names

Amos Jeffries squid3 at treenet.co.nz
Thu Feb 25 22:18:39 UTC 2016


On 26/02/2016 12:38 a.m., Cohen-Rose, Adam wrote:
> We¹re trying to use SSL bump to splice traffic from a CDN (cdn.teads.tv)
> 
> The CDN server certificate uses Subject Alternative Names in its
> certificate to identify the cdn.teads.tv domain rather than the Common
> Name (which is set to aka.proceau.net).
> 
> Can we use SSL bump to splice requests to cdn.teads.tv or do we need to
> use the CN domain to identify the CDN?

Yes the ssl::server_name ACL type matches SubjectAltName in the server
certificate during *step 3* of the ssl_bump process.

You first have to peek/stare at the serverHello data to get it.


> 
> 
> We¹d like to terminate other connections so our current SSL Bump config is:
> 
> acl tcp_level at_step SslBump1
> acl client_hello_peeked at_step SslBump2
> ssl_bump peek tcp_level all

NP: the " all" is meaningless.

> 
> acl to_teads_tv_ssl ssl::server_name cdn.teads.tv
> 
> ssl_bump splice client_hello_peeked to_teads_tv_ssl
> 

That deals with the cases where SNI matched. But the serverHello is
still not known yet, so the SubjectAtName is not known.

The terminate will happen on step2 if the SNI did not match. You need to
peek/stare again to move on to the cert details.

> ssl_bump terminate all
> 


Why dont you try this:

  # splice whenever cdn.teads.tv is identified
  ssl_bump splice to_teads_tv_ssl

  # peek at both clientHello or serverHello data
  acl hello at_step SslBump1 SslBump2
  ssl_bump peek hello

  # otherwise terminate
  ssl_bump terminate all


Amos


More information about the squid-users mailing list