[squid-users] SSL intercept in explicit mode

Amos Jeffries squid3 at treenet.co.nz
Sat Apr 14 09:53:18 UTC 2018


On 14/04/18 20:51, MK2018 wrote:
> Amos Jeffries wrote
>> FYI this is "server-first all". peek and splice before "bump all" is
>> similar but also different in ways that allow it to handle more problems
>> in better ways.
> 
> I never really got to understand how to implement peek and splice verbs. I
> was glad I could get away with server-first!
> 
> Any chance someone, or yourself, would rewrite a more detailed example of
> how to use them?
> 

Peek is to look without touching the bytes on-wire. They may be relayed
as-is to make progress in the TLS sequence. So bump maybe cannot happen
later, but splice always can.

Stare is to look at the bytes on-wire and synthesize anything needing to
be sent to server. So bump can always work later, but splice maybe cannot.

Splice is to switch to opaque tunneling of the traffic immediately.

Bump is to MITM the certificate exchange injecting a fake server cert
for the clients use and stripping out any features Squid cannot support.


The old server-first receives the TCP details from the client. Then uses
that *alone* to establish a connection to the server based on TLS
features supported by your Squid. Then receives and attempts to respond
to the clientHello using what the serverHello contained.
 It requires that the client is capable of handling the same feature set
as Squid, or at least the TLS features chosen by the server from the set
Squid offered.


The authoritative document about all this is
<https://wiki.squid-cache.org/Features/SslPeekAndSplice#Processing_steps>.
That has had a few re-writes to clarify.

Which parts (if any in the current text) are you getting confused or
lost by?


Amos


More information about the squid-users mailing list