[squid-users] HSTS and HPKP
Amos Jeffries
squid3 at treenet.co.nz
Fri Jul 27 04:34:54 UTC 2018
On 27/07/18 16:10, Gordon Hsiao wrote:
> I'm running squid4.1 interception peek+splice mode.
>
> Some sites with HSTS(max-age=0) will not work whenever squid is on, HSTS
> max-age=0 is supposed to turn off HSTS, but chrome/firefox will keep
> redirecting https<-->http until it failed(too many redirects). Once
> Squid is removed all is good.
>
> I also searched various lists and squid's website, it's still unclear to
> me, for intercept proxy, can Squid deal with HSTS reliably these days?
>
Handle yes. Reliably no.
Squid should be erasing the HSTS header completely whenever it can. The
problem is that HSTS can be delivered in several ways that Squid is not
in control of (spliced' traffic, non-HTTP protocols, and non-proxied
connections). You have to reliably seal off those other protocols and
connection types for the MITM proxy to have even a basic chance at success.
FWIW: any HSTS TTL value that gets through to the server breaks things.
Even though max-age=0 can be used to clear some of those other HSTS
avenues, it still breaks things just by turning on the HSTS handling at
the server.
> A similar questions is HPKP, or the pinning certificate, can Squid 4.1
> handle that?
No.
While HSTS was a train wreck from day-0, HPKP is technically closer to
how TLS was supposed to be used in the first place.
AFAIK, the only thing you can do in the presence of client application
using HPKP is splice. Server using it does not matter if the client is
not checking.
Amos
More information about the squid-users
mailing list