[squid-users] Working peek/splice no longer functioning on some sites

James Lay jlay at slave-tothe-box.net
Mon Nov 27 14:50:11 UTC 2017


On Sun, 2017-11-26 at 09:50 +0200, Alex K wrote:
> Perhaps an alternative is to peek only on step1:
> 
> acl step1 at_step SslBump1
> 
> ssl_bump peek step1
> acl allowed_https_sites ssl::server_name_regex
> "/opt/etc/squid/http_url.txt"
> ssl_bump splice allowed_https_sites
> ssl_bump terminate all
Hrmm...wouldn't that negate the ability to read the cert on step2?
In layman's terms I'm thinking:
"peek at step1"
"splice acl allow matched sni's"
"peek at step2"
"splice acl allow'd matched certs"
"terminate the rest"
Would that work Amos?

> On Nov 25, 2017 14:46,
>  "James Lay" <jlay at slave-tothe-box.net> wrote:
> > On Sun, 2017-11-26 at 01:33 +1300, Amos Jeffries wrote:
> > > On 26/11/17 00:52, James Lay wrote:
> > > 
> > > > 
> > > > On Sat, 2017-11-25 at 23:48 +1300, Amos Jeffries wrote:
> > > > 
> > > > > 
> > > > > On 25/11/17 08:30, James Lay wrote:
> > > > > 
> > > > > > 
> > > > > > Topic says it...this setup has been working well for a long time, but 
> > > > > > now there are some sites that are failing the TLS handshake.  Here's 
> > > > > > my setup: acl localnet src 192.168.1.0/24 acl SSL_ports port 443 acl 
> > > > > >  acl SSL_ports port 443 acl 
> > > > > > Safe_ports port 80 acl Safe_ports port 443 acl CONNECT method CONNECT 
> > > > > > acl allowed_http_sites url_regex "/opt/etc/squid/http_url.txt" 
> > > > > > http_access deny !Safe_ports http_access deny CONNECT !SSL_Ports 
> > > > > > http_access allow SSL_ports http_access allow allowed_http_sites 
> > > > > > http_access deny all ssl_bump peek all acl allowed_https_sites 
> > > > > > ssl::server_name_regex "/opt/etc/squid/http_url.txt" ssl_bump splice 
> > > > > > allowed_https_sites ssl_bump terminate all 
> > > > > > 

> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > Because you have "peek all" being performed the transaction MUST pass
> > > > > your regex patterns with both TLS SNI from the client *and* the server
> > > > > certificate SubjectName values. Either one not matching will perform
> > > > > that "terminate all" on the TLS handshake.
> > > > > 
> > > > > 

> > > > 
> > > > 
> > > > Thanks Amos...do you have a suggestion for changing this to match one or 
> > > > the other instead of both?
> > > > 

> > > 
> > > 
> > > Doing the splice check before the peek should do that. First one of the 
> > > server_names data sources to match will then splice and non-matches fall 
> > > through to either peek or terminate if no more peeking possible.
> > > 
> > > Amos
> > > 

> > > > Perfect..I've modded my lines with:
> > > > acl broken_https_sites ssl::server_name_regex "/opt/etc/squid/broken_url.> > txt"
> > ssl_bump splice broken_https_sites
> > ssl_bump peek all
> > acl allowed_https_sites ssl::server_name_regex "/opt/etc/squid/http_url.txt"
> > ssl_bump splice allowed_https_sites
> > ssl_bump terminate all

> > Hopefully that fixes these up.  Another site besides the the one this thread is fbcdn.net.  Again, these DID work, but something within the last month has changed...guessing Facebook and Elder Scrolls Online have added additional TLS security.  Thanks as always Amos.
> > > > James

> > ______________________________> > _________________
> > 
> > squid-users mailing list
> > 
squid-users at lists.squid-cache.org
> > 
http://lists.squid-cache.org/listinfo/squid-users
> > 

> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20171127/855f2ede/attachment.html>


More information about the squid-users mailing list