[squid-users] Enable SSL bump

Amos Jeffries squid3 at treenet.co.nz
Tue Jan 24 06:56:50 UTC 2017


On 24/01/2017 3:38 p.m., Mustafa Mohammad wrote:
> By regression...I mean our QA testing server. Let me explain this in
> detail: I have a squid proxy running which is needed to connect to the
> server so we can get back if the transaction was approved or not. It is a
> point of sale application that send transaction data to the server to
> receive response about the transaction and that's when the problem is
> occurring when It is trying to communicate to that server. I received some
> help and I think ssl splice and ssl peek might work but I don't know how to
> use them. I don't the rules to apply in this situation.

Whats usually needed in these setups is a reverse-proxy (aka "load
balancer", CDN frontend, etc.). But for that to be Squid it would
require the POS application to be messaging with HTTP.
 Is that the case?

The peek-and-splice form of SSL-Bump MITM might work anyway so long as
the application is actually using real TLS. But you need to be aware the
splice action is just blindly tunneling the TLS data through Squid. It
is not being touched, so anything like CRL issues is a problem between
the endpoints - Squid cannot help unless its actually HTTP messages,
then 'bump' action is needed to fully decrypt and modify the TLS.


(That said, there have been some weird issues showing up even when the
tunnel is spliced. see the threads about 30sec delays to cloudeflare, or
curl rejecting tunneled traffic.)

Amos



More information about the squid-users mailing list