[squid-users] Best way to prevent squid from bumping CONNECTs

Scott 3m9n51s2ewut at thismonkey.com
Mon Apr 27 16:21:13 UTC 2020


Hi,

my experience with ssl_bump is that it tries to bump SSL connections whether 
presented to Squid explicitly or implicitly.

I have a device with two pieces of software, one configured with Squid 
explicitly, one that requires intercept (via WCCP).

So both explicit CONNECT messages arrive at squid (on 3128/TCP) and SSL (on 
443/TCP).

When simply configuring `ssl_bump bump host_acl' the Squid logs show Squid 
trying, and failing, to bump CONNECT requests.  They may be failing due to 
certificate issue most likely, I'm not sure.  I can't add to the certificate 
store of the software that has the proxy configured (i.e. it will not permit 
bumping).

Is it expected that Squid will bump/splice CONNECT requests?
Because not all CONNECT sessions are SSL, if the CONNECT destination does not 
begin a TLS handshake will Squid revert to simply creating a TCP tunnel 
instead of bumping?

My workaround has been to simply add `!CONNECT' to the `ssl_bump host_acl' 
statements.  Squid will happily bump the SSL sessions and proxy the CONNECT 
sessions.

Thanks,
Scott


More information about the squid-users mailing list