[squid-users] About SSL peek-n-splice/bump configurations
Julian Perconti
vh1988 at yahoo.com.ar
Wed Sep 19 16:23:28 UTC 2018
>After a splice rule is applied, SslBump is over. No more rules are
>checked. No more loops are iterated. Squid simply "exits" the SslBump
>feature (and becomes a TCP tunnel).
How is that? What about the meaning of the ACL's at step1 when splice?
e.g.:
There only these two rules for ssl_bump statements:
ssl_bump step1 splice sitesAB
ssl_bump step1 splice SitesCD
I guess that here, Squid has to do 2 loops at outer/main loop to evaluate step1 twice, due to rules differs (sitesAB and sitesCD ACL) and see if both match to splice.
Probably this example does not make sense: "Why don't use just 1 ACL instead 2"? But it is an example to understand and fix ideas.
Are You (perhaps) talking about the examples in the thread and not what happens "in general"?
> If noBumpSites matches at step2, then, yes, Squid will splice at step3
> by default. Otherwise, no; Squid will bump at step3 by default.
[... ]
You mentioned that explanation two times.
The question (maybe obvious) is: In which case the "noBumpSites" ACL could have not match? I mean if I tell a Squid: "splice at step1 this.site.net" How that matches can fail?
Maybe you refered in the case that a site is just not listed in the ACL.
> > ssl_bump splice noBumpSites # This line reachs a splice rule at step1
> > ssl_bump stare
>
> > Squid is telling to the client: "I will not touch any TLS byte.
> > [...] I will do as many checks as possible then You will be connected..."
>
> The configuration above does not match your summary because the
> configuration has a "stare" action that may run at (step1 and) step2
> (and, hence, a possibility of the bump action at step3). Staring at
> step2 and bumping (at any step) modify TLS bytes, of course.
>
> Perhaps your summary only applies to the cases where noBumpSites
> matches (either at step1 or at step2), but the summary did not make
> that clear.
Here borns more ore less the same doubt like above and the final one.
> There is a big difference between explaining Squid actions for a
> particular transaction and summarizing what a particular configuration
> means (for all transactions). Unless noted otherwise, I am focusing on the latter.
>
> AFAICT, the primary difference between
>
> ssl_bump peek noBumpSites
> ssl_bump stare
>
> and
>
> ssl_bump splice noBumpSites
> ssl_bump stare
>
> is that the former requires a noBumpSites match at step2 for the
> connections to be spliced.
Yes. The condition you say is mandatory but, again: Why that requirement could fail/no-match?
Thank You for the patience
More information about the squid-users
mailing list