[squid-users] Skype+intercept+ssl_bump

Evgeniy Kononov egenius at inbox.ru
Fri Jul 15 10:38:03 UTC 2016


 Hello!

Can you help me with correct settings for squid to use skype ?


My current config.

# squid -v
Squid Cache: Version 3.5.20
Service Name: squid
configure options: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--verbose' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam,fake' '--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos,wrapper' '--enable-external-acl-helpers=wbinfo_group,kerberos_ldap_group,LDAP_group,delayer,file_userip,SQL_session,unix_group,session,time_quota' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-storeio=aufs,diskd,ufs,rock' '--enable-wccpv2' '--enable-esi' '--enable-ssl-crtd' '--enable-icmp' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--with-pthreads' '--with-included-ltdl' '--disable-arch-native' '--enable-ecap' '--without-nettle' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro ' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig' --enable-ltdl-convenience
#cat squid.conf
http_port 3128 options=NO_SSLv3:NO_SSLv2
http_port 192.168.10.240:3125 intercept options=NO_SSLv3:NO_SSLv2
https_port 192.168.10.240:3126 intercept ssl-bump options=ALL:NO_SSLv3:NO_SSLv2 connection-auth=off cert=/opt/squid_certs/squid.pem key=/opt/squid_certs/squid.pem dhparams=/opt/squid_certs/dhparam.pem cipher=HIGH:MEDIUM:RC4:3DES:
always_direct allow all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslproxy_cafile /etc/pki/tls/certs/ca-bundle.crt
sslproxy_cipher HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name_regex -i "/etc/squid/lists/url.nobump"
ssl_bump peek DiscoverSNIHost
ssl_bump splice NoSSLIntercept
ssl_bump bump all

#cat /etc/squid/lists/url.nobump
microsoft\.com
update\.microsoft\.com
update\.microsoft\.com\.akadns\.net
mobile\.pipe\.aria\.microsoft\.com
prd\.col\.aria.mobile\.skypedata\.akadns\.net
pipe\.skype\.com
pipe\.prd\.skypedata\.akadns\.net
api\.asm\.skype\.com
apps\.skype\.com
wildcard\.skype\.com\.edgekey\.net
e4593\.g\.akamaiedge\.net
\.skype\.com
\.skypeassets\.com
etag\.prod\.registrar\.skype\.com
prod\.registrar\.skype\.com
go\.trouter\.io
With this setup I have problem with group chats, calls and attachments in messages.
Attachments sended, but not delivered to respondent.
Unable to create group chats and if it created, what respondents do not see the chat or can not make calls.
I tried add IP regexp to access list, but after that all https traffic was spliced.
Skype work well when I change ssl_bump bump all to ssl_bump splice all
How can I exclude skype from SSL bumping ?
Thank you.

-- 
Evgeniy Kononov
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160715/00420cba/attachment.html>


More information about the squid-users mailing list