[squid-users] ssl-bump and accel

Amos Jeffries squid3 at treenet.co.nz
Sun Jan 10 11:14:06 UTC 2016


On 10/01/2016 10:26 p.m., Nir Krakowski wrote:
> 1. You're forgetting I only refer specific traffic using /etc/hosts to
> squid.

You missed my point.

1) clientConn is where the traffic *came from*. Not where it is going to.

2) Host: header verification is only relevant to MITM (intercept/tproxy
port) traffic. Patching it at all is wrong for accel port traffic. And
the patch you published is more than just dangerous when used on an MITM
proxy.

3) ssl-bump is not supported on accel ports:
 - http_port accel does not accept CONNECT, so nothing to bump.
 - https_port accel initializes its server TLS context differently to
ssl-bump, so the context created is bad for bumping.
 - https_port accel decrypts the TLS using different code than ssl-bump


> 2. What do you suggest ? I want to use the SNI as the direction of the
> traffic, not the forwarded IP address.

"accel" mode traffic uses the URL for server selection. Both the
forwarded IP address and the SNI are irrelevant and ignored.

Think of it like this:
 If you take an apple and paint it to look like an apple. All you have
done is make it poisonous to eat. Not cease being an apple.

Amos



More information about the squid-users mailing list