[squid-users] Ssl bump tunneling connection by using Common Name

Eliezer Croitoru eliezer at ngtech.co.il
Mon Mar 6 16:41:02 UTC 2017


Hey,

There was something about it but I believe it's only on squid version 4.0.X.
The other options for such a thing is to use an external_acl helper that will try to initiate a connection to the destination host (like what is done in the happy eyeballs) to and to inspect the certificate to match a specific criteria.
I was working on such a helper a year ago but stopped touch it since there was something I didn't expected.
I can try to dig in my repository and see if I find the helper.

Let me know if to bother with it.

Eliezer

----
http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il


From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Hanoch Hanoch K
Sent: Monday, March 6, 2017 3:47 PM
To: squid-users at lists.squid-cache.org
Subject: [squid-users] Ssl bump tunneling connection by using Common Name

Greetings

We're using Squid 3.5.19 with ssl bump,
and we want to tunnel (not bump) applications such as skype, that use pinned ssl,
so we defined an acl for splicing skype's ssl_server_name.

However skype's client app uses client certificates that don't have SNI.
The only way to identify skype is its Common Name: *.http://dc.trouter.io/

But the Common Name is available only in step3 of ssl bump,
where tunneling the connection is no longer possible (as documented in peek and splice step3 docs).
What we get is bumping.

Is there a way we can tunnel an acl based on Common Name?

ty


http_port 3127
http_port 3128 intercept
https_port 3129 ssl-bump intercept generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myCA.pem
always_direct allow all
acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name_regex -i (microsoft|msn|windows|update|http://skype.com/|http://go.trouter.io/|http://secure.adnxs.compipe.skype.com/|http://skype-m.hotmail.com/|http://mobile.pipe.aria.microsoft.com/|http://edge.skype.com/|http://api.cc.skype.com/|http://a.config.skype.com/|http://clientlogin.cdn.skype.com/|.http://dc.trouter.io/|http://ui.skype.com/|http://apps.skype.com/|http://registrar-rr.prod.registrar.skype.com/|http://secure.skypeassets.com/|http://c1.skype.com/)
ssl_bump splice NoSSLIntercept
ssl_bump peek DiscoverSNIHost
ssl_bump bump all

sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 5




More information about the squid-users mailing list