[squid-users] Skype+intercept+ssl_bump
Amos Jeffries
squid3 at treenet.co.nz
Mon Jul 18 07:27:22 UTC 2016
On 15/07/2016 10:38 p.m., Evgeniy Kononov wrote:
> Hello!
>
> Can you help me with correct settings for squid to use skype ?
>
FYI: there are currently no known "correct" setting for Skype when
SSL-Bump is involved.
There are settings known to work when Squid is setup as an explicit
proxy, and some which almost-always (but only 99.999%) working for Squid
intercepting port 80.
Intercepting port 443 and bumping the crypto has issues distinguishing
Skype-TLS from real TLS and HTTPS.
That said, I have been giving it some thought today and suspect that
since MS are apparently filtering Skype traffic through their own
machines these days we could maybe use the "dst" ACL reverse-DNS
behaviour to detect and splice that traffic.
If you want to experiment with that and have good results there are many
here who would like some good news on this.
> With this setup I have problem with group chats, calls and attachments in messages.
> Attachments sended, but not delivered to respondent.
> Unable to create group chats and if it created, what respondents do not see the chat or can not make calls.
> I tried add IP regexp to access list, but after that all https traffic was spliced.
> Skype work well when I change ssl_bump bump all to ssl_bump splice all
> How can I exclude skype from SSL bumping ?
The problem is with identifying it in fairly reliable way from all the
other traffic. That is where we are currently all stuck.
Yuri and Eliezer have been trying various things and talking about it
on-list in recent weeks/months. But so far no results I'm confident
about recommending.
Amos
More information about the squid-users
mailing list