[squid-users] Best way to prevent squid from bumping CONNECTs
Alex Rousskov
rousskov at measurement-factory.com
Thu Apr 30 20:05:43 UTC 2020
On 4/30/20 12:10 PM, Scott wrote:
>> * For http_port configured with an ssl-bump flag, HTTP CONNECT tunnels
>> are sent to the SslBump code.
>>
>> * For https_port configured with an ssl-bump flag, all traffic is sent
>> to the SslBump code (by faking a corresponding HTTP CONNECT request).
> These `fake' CONNECT requests I assume only contain the IP address of the
> upstream server, not the hostname, as intercepted SSL connections are TCP
> OPENs.
Modern Squid replaces TCP-derived destination IP address with TLS
SNI-derived domain name when generating the second fake CONNECT request.
The second CONNECT is generated during SslBump step2, after parsing TLS
client handshake.
> Am I right then in saying that using ssl::server_name is useless for bumped
> intercepted connections?
It may be useful for ACLs checked during SslBump step2 (because it will
check the TLS client SNI-derived domain name) and during step3 (when it
will check TLS server certificate-derived CN and SubjectAltName).
HTH,
Alex.
More information about the squid-users
mailing list