[squid-users] Skype+intercept+ssl_bump

Marcus Kool marcus.kool at urlfilterdb.com
Thu Sep 1 19:53:21 UTC 2016



On 08/27/2016 02:20 PM, Marcus Kool wrote:
>
>
> On 07/30/2016 04:21 PM, Alex Rousskov wrote:
> *snip*
>
>> Update: The question still stands, but we now know more about what
>> happens if the on_unsupported_protocol bug (in code and/or
>> documentation, depending on how you look at it) discussed above is
>> fixed: Squid then starts tunneling traffic as it is told by the
>> on_unsupported_protocol directive, but forgets to use the existing
>> encrypted connection to the server and opens/uses a new Squid-to-server
>> unencrypted connection instead.
>>
>> Thus, the patch I posted previously does not solve the known Skype
>> groups/MSNP problem -- it only exposes the next (and bigger!) obstacle
>> on the way to that solution.
>>
>> We are working on supporting/fixing tunneling of bumped connections, but
>> feedback regarding request counting check question above is still welcomed.

Is there an expected date for a fix?
I volunteer for testing patches.

Marcus

>>
>> Thank you,
>>
>> Alex.
>
> I am using squid-4.0.13-20160819-r14813 and have observed the following
> with transparent intercept:
> 1) skype (on windows10) login fails, access.log contains
>    "CNT error:invalid-request HTTP/1.1" 400 3705 NONE:HIER_NONE -
> 2) whatsapp (on Android) fails, access.log contains
>    "NONE error:transaction-end-before-headers HTTP/0.0" 0 0 NONE:HIER_NONE -
>    "' error:invalid-request HTTP/1.1" 400 3705 NONE:HIER_NONE -
> 3) Samsung (monitoring?) app on my Samsung smartphone:
>    "CONNECT 54.76.6.24:80 HTTP/1.1" 403 3775 TCP_DENIED:HIER_NONE Host:%2054.76.6.24:80%0D%0A
>    "NONE error:invalid-request HTTP/1.1" 400 3705 NONE:HIER_NONE -
>
> TCP_DENIED in 3) is OK since the app connects on port 80 and this port is
> not in SSL_ports, but the error message "invalid-request" on the next line
> is misleading.
>
> If you need a cache.log with debug ALL,9 I can provide one.
>
> The ssl-bump rules on my server are:
> acl tls_s1_connect at_step SslBump1
> acl tls_to_splice complex-acl-but-does-not-matter-what-it-has
> ssl_bump peek   tls_s1_connect
> ssl_bump splice tls_to_splice
> ssl_bump stare  all
> ssl_bump bump   all
>
> With best regards,
>
> Marcus


More information about the squid-users mailing list