[squid-users] no ssl intercept - question how it works

Amos Jeffries squid3 at treenet.co.nz
Thu Aug 12 03:01:26 UTC 2021


On 12/08/21 4:06 am, robert k Wild wrote:
> Great thanks Amos as always
> 
> So shall I leave this ssl bump lines in
> 
> ssl_bump splice NoSSLIntercept
>> ssl_bump peek DiscoverSNIHost
>> ssl_bump bump all
> 
> And delete this one
> 
> acl step1 at_step SslBump1
>> ssl_bump peek step1
>> ssl_bump bump all
> 
> As your right there both the same, I didn't spot that
> 
> My understanding is the "no ssl intercept", squid doesn't even bother to 
> inspect the packets ie man in the middle and just literally passes it 
> straight to the client
> 
> Is that right?
> 

Not quite. Squid still has to receive and look at something to make the 
decision to splice.

The "NoSSLIntercept" is just an ACL. Being defined as a ssl:server_name 
type it looks at whatever Squid is able to find for a server name 
amongst the available data (CONNECT message URI, the client IP's 
reverse-DNS, any TLS details seen so far, etc.
  So it depends on how many of the SSL-Bump steps have taken place so 
far as to what it can match against.

In your case it happens at step1 and maybe step2 (when the peek happened 
at step1 instead). When means Squid looks at the TCP connections 
client-IP, a CONNECT URI (if any) and maybe the TLS client handshake 
plain-text details.

  Note this is specific to your *current* configuration. Small changes 
to the order of ssl_bump lines or ACLs used can change this behaviour 
dramatically.

Amos


More information about the squid-users mailing list