[squid-users] About SSL peek-n-splice/bump configurations

Julian Perconti vh1988 at yahoo.com.ar
Wed Sep 19 16:23:28 UTC 2018


>After a splice rule is applied, SslBump is over. No  more rules are 
>checked. No more loops are iterated. Squid simply "exits" the  SslBump 
>feature (and becomes a TCP tunnel).

How is that? What about the meaning of the ACL's at step1 when splice?

e.g.:
There only these two rules for ssl_bump statements:

ssl_bump step1 splice sitesAB
ssl_bump step1 splice SitesCD

I guess that here, Squid has to do 2 loops at outer/main loop to evaluate step1 twice, due to rules differs (sitesAB and sitesCD ACL) and see if both match to splice. 
Probably this example does not make sense: "Why don't use just 1 ACL instead 2"? But it is an example to understand and fix ideas.

Are You (perhaps) talking about the examples in the thread and not what happens "in general"?

> If noBumpSites matches at step2, then, yes, Squid will splice at step3 
> by default. Otherwise, no; Squid will bump at step3 by default.

[... ]

You mentioned that explanation two times.
The question (maybe obvious) is: In which case the "noBumpSites" ACL could have not match? I mean if I tell a Squid: "splice at step1 this.site.net" How that matches can fail?
Maybe you refered in the case that a site is just not listed in the ACL.

> >   ssl_bump splice noBumpSites # This line reachs a splice rule at step1
> >   ssl_bump stare
> 
> > Squid is telling to the client: "I will not touch any TLS byte. 
> > [...] I will do as many checks as possible then You will be connected..."
> 
> The configuration above does not match your summary because the 
> configuration has a "stare" action that may run at (step1 and) step2 
> (and, hence, a possibility of the bump action at step3). Staring at
> step2 and bumping (at any step) modify TLS bytes, of course.
> 
> Perhaps your summary only applies to the cases where noBumpSites 
> matches (either at step1 or at step2), but the summary did not make 
> that clear.

Here borns more ore less the same doubt like above and the final one.

> There is a big difference between explaining Squid actions for a 
> particular transaction and summarizing what a particular configuration 
> means (for all transactions). Unless noted otherwise, I am focusing on the latter.
> 
> AFAICT, the primary difference between
> 
>   ssl_bump peek noBumpSites
>   ssl_bump stare
> 
> and
> 
>   ssl_bump splice noBumpSites
>   ssl_bump stare
> 
> is that the former requires a noBumpSites match at step2 for the 
> connections to be spliced.

Yes. The condition you say is mandatory but, again: Why that requirement could fail/no-match?

Thank You for the patience



More information about the squid-users mailing list