[squid-users] Strange Squid SSL Interception Behavior

Alex Rousskov rousskov at measurement-factory.com
Wed Aug 26 13:54:51 UTC 2020


On 8/26/20 9:13 AM, Amos Jeffries wrote:
> On 26/08/20 11:03 pm, Mathew Brown wrote:
>> Thank you Alex + Amos :) You've really helped clarify things. I had a
>> final question regarding this setup. Does this configuration only look
>> at the client side part of the SNI request or also the server
>> certificate.

>> acl whitelist ssl::server_name .httpbin.org
>> 
>> http_access deny CONNECT !SSL_ports
>> http_access allow localnet CONNECT
>> 
>> ssl_bump peek step1
>> ssl_bump splice whitelist
>> ssl_bump terminate all


The above ssl_bump configuration ignores the TCP client information
(during step1) and looks at TLS client information (during the next step
-- step2). With this configuration, Squid will not see the server
certificate at all.


>> If it only looks at the client-side, how would I tell it to
>> look at the server response as well?

If you want Squid to consider the server certificate as well (during
step3), replace "step1" with "all". See ssl::server_name ACL for the
documentation of what "as well" really means in this context. Its
complicated.


> The process is all described at
> https://wiki.squid-cache.org/Features/SslPeekAndSplice

Yes, and also see the documentation for the ssl::server_name ACL. In
modern Squids, you can control what information that ACL is using.


BTW, I just realized that my earlier statements about reverse DNS
lookups were misleading: The ssl::server_name ACL does not do any DNS
lookups. When given an unresolved IP address, that ACL will usually
mismatch .httpbin.org (regardless of whether the reverse lookup would
have returned a matching domain name).


HTH,

Alex.


More information about the squid-users mailing list