[squid-users] Squid 3.5.19 how to find banking server name for no bump

Amos Jeffries squid3 at treenet.co.nz
Wed Jun 29 02:33:03 UTC 2016


On 29/06/2016 11:47 a.m., Stanford Prescott wrote:
> When I enter .wellsfargo.com in
> 
> *acl tls_s1_connect at_step SslBump1*
> *acl tls_s2_client_hello at_step SslBump2*
> *acl tls_s3_server_hello at_step SslBump3*
> 
> *acl tls_server_name_is_ip ssl::server_name_regex
> ^[0-9]+.[0-9]+.[0-9]+.[0-9]+n*
> *acl tls_allowed_hsts ssl::server_name .akamaihd.net <http://akamaihd.net>*
> *acl tls_server_is_bank ssl::server_name .wellsfargo.com
> <http://wellsfargo.com>*
> *acl tls_to_splice any-of tls_allowed_hsts tls_server_is_bank*
> 
> *ssl_bump peek tls_s1_connect all*
> *ssl_bump splice tls_s2_client_hello tls_to_splice*
> *ssl_bump stare tls_s2_client_hello all*
> *ssl_bump bump tls_s3_server_hello all*
> 
> 
> it appears that the banking site is still getting bumped i.e.like in this
> access.log snippet
> 

Most of the log entries have a) a raw-IP and no SNI, b) a non-wellsfargo
domain name [Google advertising].

All uses of CONNECT *.wellsfargo.com I have spotted in there also have a
"TCP_TUNNEL" tag - which means splice was done in accordance with your
above config.


For example; To follow one client:

Initial raw-TCP connection handling (TAG_NONE). No SNI available yet ...

> *1467156900.838   5423 10.40.40.100 TAG_NONE/200 0 CONNECT
> 159.45.170.145:443 <http://159.45.170.145:443> - HIER_NONE/- -*

... begin step-1 processing ...

[ Matches: ssl_bump peek tls_s1_connect all ]

[ Note that the wellsfargo ACL is not even reached at this stage. ]
[ If it did the string "159.45.170.145" != "*.wellsfargo.com" anyway ]

... which says to get the clientHello and SNI (if any) ...


> *1467156900.838   5088 10.40.40.100 TCP_TUNNEL/200 4631 CONNECT
> www.wellsfargo.com:443 <http://www.wellsfargo.com:443> -
> ORIGINAL_DST/159.45.170.145 <http://159.45.170.145> -*

... begin step 2 processing. SNI available ...

[ The string "www.wellsfargo.com" ~= "*.wellsfargo.com" ]
[ Matches: ssl_bump splice tls_s2_client_hello tls_to_splice ]

... connection spliced (TCP_TUNNEL).

> 
> If I disable sslbumping then the bank site does not get bumped, of course.
> 
> 1467157349.321    230 10.40.40.100 TCP_MISS/301 243 GET
> http://wellsfargo.com/ - ORIGINAL_DST/159.45.66.143 -
> 

That is http://, not HTTPS. ssl_bump has no relevance for plain-text
traffic.
The same thing would be done for that request regardless of what your
ssl_bump settings are.

Amos



More information about the squid-users mailing list