[squid-users] Squid SSL Intercept have issues apps on iOS
Amos Jeffries
squid3 at treenet.co.nz
Wed Apr 12 01:39:38 UTC 2017
On 11/04/2017 11:38 p.m., prashantbhosale wrote:
> I was trying to setup Squid transparent SSLBump and its working. But it
> giving problem for Apple apps.
> According to threads on mailing list excluded domains (.apple.com
> .icloud.com .mzstatic.com .akamaihd.net .dropbox.com) then App Store works
> (browsing apps, searching apps) but app installation(from App store) fails
> with below squid access log:
> 1491910115.715 51 10.99.1.1 TAG_NONE/200 0 CONNECT 17.154.66.226:443 -
> ORIGINAL_DST/17.154.66.226 -
> 1491910116.537 52 10.99.1.1 TAG_NONE/200 0 CONNECT 17.154.66.74:443 -
> ORIGINAL_DST/17.154.66.74 -
Please read
<http://wiki.squid-cache.org/Features/SslPeekAndSplice#Processing_steps>
The above log enties look like the step 1.i CONNECT requests to me.
TLS/SSL has not started at that point and ssl_bump has not even been
considered.
Later on ...
> sslproxy_cert_error allow all
... you have disabled all errors from being visible to anyone.
*including you*.
> sslproxy_flags DONT_VERIFY_PEER
... and you have disabled all TLS security protections.
>
> Is anybody has working conf for sslbump with exclude the HTTP Public Key
> Pinning (HPKP) mechanism.
There is no way to know whether the pinning is being used, nor even what
software was being used. Some client IP connects and signals that it
needs TLS. Then exists as soon as TLS is sent ot it. End of story.
There are a large number of things that could be going on when a client
simply disappears like that. As humans we can know a lot of contextual
information about the whole situation and decide that its HPKP - but the
software on the spot when it happened does not have any of that extra
info to work with.
Amos
More information about the squid-users
mailing list