[squid-users] Best way to prevent squid from bumping CONNECTs
Scott
3m9n51s2ewut at thismonkey.com
Mon Apr 27 16:21:13 UTC 2020
Hi,
my experience with ssl_bump is that it tries to bump SSL connections whether
presented to Squid explicitly or implicitly.
I have a device with two pieces of software, one configured with Squid
explicitly, one that requires intercept (via WCCP).
So both explicit CONNECT messages arrive at squid (on 3128/TCP) and SSL (on
443/TCP).
When simply configuring `ssl_bump bump host_acl' the Squid logs show Squid
trying, and failing, to bump CONNECT requests. They may be failing due to
certificate issue most likely, I'm not sure. I can't add to the certificate
store of the software that has the proxy configured (i.e. it will not permit
bumping).
Is it expected that Squid will bump/splice CONNECT requests?
Because not all CONNECT sessions are SSL, if the CONNECT destination does not
begin a TLS handshake will Squid revert to simply creating a TCP tunnel
instead of bumping?
My workaround has been to simply add `!CONNECT' to the `ssl_bump host_acl'
statements. Squid will happily bump the SSL sessions and proxy the CONNECT
sessions.
Thanks,
Scott
More information about the squid-users
mailing list