[squid-users] question about ssl_bump

Alex Rousskov rousskov at measurement-factory.com
Thu Mar 10 03:17:48 UTC 2016


On 03/09/2016 08:00 PM, Alex Samad wrote:
> from http://wiki.squid-cache.org/Features/SslPeekAndSplice
> 
> # Better safe than sorry:
> # Terminate all strange connections.
> ssl_bump splice serverIsBank
> ssl_bump bump haveServerName
> ssl_bump peek all
> ssl_bump terminate all
> 
> I am not sure how haveServerName is constructed

It is up to the Squid admin.


> I read this as
> 1) splice the connection if it meets ACL serverIsBank

Yes. I would replace "if" with "as soon as", to be slightly more precise.


> 2) bump the connection (MTM) if acl haveServerName is meet

Yes. I would replace "if" with "as soon as", to be slightly more precise.


> 3) try and peek the ssl connection . which I understands is  start MTM

There is no "try" here. Bugs/problems notwithstanding, "peek" always
succeeds. Roughly speaking, this non-final action receives either SSL
client or SSL server information (depending on the SslBump step) without
changing any bytes on the wire. The "MTM" tern is too vague/overloaded
to use in this specific context, but you can think of peeking as a
"passive MitM" if it helps).

Please note that the peek action can only match during the first two
SslBump steps. It is ignored during the third step.


> whilst keeping the ability to splice. I presume this means look at the
> client cert and the server cert ? so you get more info.... But this
> doesn't stop the process ?

Yes, when peek ACL matches, Squid moves to the next SslBump step.


> 4)  terminate all that get here. again nothing stops at #3 it just
> gathers more info ?

Yes. To quote the same page you are citing: "All actions except peek and
stare correspond to final decisions: Once an ssl_bump directive with a
final action matches, no further ssl_bump evaluations will take place,
regardless of the current processing step."


HTH,

Alex.



More information about the squid-users mailing list