[squid-users] About SSL peek-n-splice/bump configurations

Alex Rousskov rousskov at measurement-factory.com
Sun Aug 12 23:49:58 UTC 2018


On 08/12/2018 04:09 PM, Julian Perconti wrote:

> I would like to know which of these two cfg's are "better" or "more secure"
> when a site/domain is spliced, bumped, etc.

It is impossible to answer that question without knowing how _you_
define "better" or "more secure".


> acl noBumpSites ssl::server_name_regex -i "/etc/squid/url.nobump"

> # ssl_bump option 1: (with this I don't see the domain in "TUNNEL" line,
> just the IP addr.)
> 
> ssl_bump peek step1
> ssl_bump peek step2 noBumpSites
> ssl_bump splice step3 noBumpSites
> ssl_bump stare step2
> ssl_bump bump step3
> 
> # ssl_bump option 2: (with this I see the domain in "TUNNEL" line.)
> 
> ssl_bump peek step1
> ssl_bump splice noBumpSites
> ssl_bump bump all
> 
> 
> And (if possible) could anyone explain the differnce between these 2 cfg's ?

Bugs notwithstanding, Option 1 looks at the TLS server Hello details
(step2) before splicing or bumping the connections (at step3). Option 2
does not -- it splices or bumps based on TLS client Hello info only.

Option 1 should give Squid/you more information about the server when
splicing the two connections. For example, you can use server
certificate info during step3 and when logging.

Option 1 should give the client more information about the server when
bumping the client -- the client will get a mimicked server certificate
detail with this option.

I believe the information obtained at each step is documented at
https://wiki.squid-cache.org/Features/SslPeekAndSplice

Please note that your

  ssl_bump splice step3 noBumpSites

is a bit risky because your noBumpSites may match differently on each
step (as it gets more reliable information). It could match at step2 but
not match at step3 or vice versa, but the decision to splice (or bump)
is essentially made at step2 -- if you peeked at step2, then you should
be splicing or terminating at step3 (and if you stared at step2, then
you should be bumping or terminating at step3). Your rules may not
follow that principle if noBumpSites matching changes.


> with Option 1 I don't see the domain in "TUNNEL" line,
> just the IP addr.)

I doubt that is how it is supposed to work. When splicing, Option 1
should have the same or more information so it should log the domain
name if Option 2 has the domain name. If you are comparing log lines for
identical transactions, then this could be a Squid bug.

Alex.


More information about the squid-users mailing list