[squid-users] Microsoft store issues with ssl-bump

Alex Rousskov rousskov at measurement-factory.com
Tue Jan 12 15:30:18 UTC 2021


On 1/12/21 3:33 AM, Eliezer Croitoru wrote:

> The Windows 10 MS Store tries to connect the domains:
> storeedgefd.dsx.mp.microsoft.com

> which is bypassed from SSL BUMP with a regex and server-name.

>   * Squid 5.0.4 on Fedora 33.

It sounds like you have tried to configure Squid to splice traffic
matching some criteria. So does Squid actually splice traffic matching
those criteria? That is the first question I would ask myself when
trying to triage this problem.

Assuming you can create test traffic, there are many ways to answer that
question, including:

1. Checking whether Squid signs Squid-to-client traffic with its own
certificate.

2. After skipping any CONNECT exchanges, comparing to-Squid TCP payload
with from-Squid TCP payload. If the answer to the question is "yes",
then that payload should be identical, in both client-server and
server-client directions.

3. Sharing Squid debugging logs containing an isolated test transaction.

Testing with other proxies and speculating about the magical possibility
of client detection of TLS splicing is a waste of time _if_ your Squid
configuration is incorrect (i.e. if Squid correctly follows its
configuration, but that configuration contradicts your goals). Thus, I
recommend starting by validating that splicing is happening, as
discussed above.


HTH,

Alex.


More information about the squid-users mailing list