[squid-users] Ssl bump tunneling connection by using Common Name
Hanoch Hanoch K
for.work2920 at gmail.com
Mon Mar 6 13:46:42 UTC 2017
Greetings
We're using Squid 3.5.19 with ssl bump,
and we want to tunnel (not bump) applications such as skype, that use
pinned ssl,
so we defined an acl for splicing skype's ssl_server_name.
However skype's client app uses client certificates that don't have SNI.
The only way to identify skype is its Common Name: *.dc.trouter.io
But the Common Name is available only in step3 of ssl bump,
where tunneling the connection is no longer possible (as documented in peek
and splice step3 docs).
What we get is bumping.
Is there a way we can tunnel an acl based on Common Name?
ty
http_port 3127
http_port 3128 intercept
https_port 3129 ssl-bump intercept generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myCA.pem
always_direct allow all
acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name_regex -i (microsoft|msn|windows|update|
skype.com|go.trouter.io|secure.adnxs.compipe.skype.com|skype-m.hotmail.com|
mobile.pipe.aria.microsoft.com|edge.skype.com|api.cc.skype.com|a.config.sky
pe.com|clientlogin.cdn.skype.com|.dc.trouter.io|ui.skype.com|apps.skype.com|
registrar-rr.prod.registrar.skype.com|secure.skypeassets.com|c1.skype.com)
ssl_bump splice NoSSLIntercept
ssl_bump peek DiscoverSNIHost
ssl_bump bump all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 5
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170306/85700560/attachment.html>
More information about the squid-users
mailing list