[squid-users] peek & splice only to log ssl info

[Alex Rousskov]

On 2/25/22 14:36, Matus UHLAR - fantomas wrote:

> I only intend to splice connections but after repeated reading 
> https://wiki.squid-cache.org/Features/SslPeekAndSplice I still don't 
> understand parts of the logic.
> 
> - is the combination described at:
> https://wiki.squid-cache.org/Features/SslPeekAndSplice#Basic_Splicing_and_Bumping 
> 
> enough for logging SNI and cert info?

There are three combinations described in that section. The first peeks 
at SNI and certificate info (so the answer is "yes"). The other two are 
more complex and may not have access to some of that info in some cases.


> - are peek and they completely equal at step 1?

Bugs notwithstanding, Squid does the same thing right after discovering 
that a peek or stare rule matched during step1 -- Squid tries to look at 
the TLS client Hello message (where SNI is stored).

The difference, if any, only comes after Squid looks at that 
ClientHello. Bugs notwithstanding(*), if no ssl_bump rule matches during 
step2, then the next Squid action will be either splice or bump, 
depending on which rule (peek or stare) matched at the first step.

By using "peek", you tell Squid that you intend to splice if everything 
goes alright; and by using stare, you tell Squid that you intend to 
bump. After step1, you can still change your mind (because the immediate 
Squid operations are the same -- look at ClientHello). After step2, you 
cannot (because Squid operations differ and, in modern environments, 
peeking precludes future bumping and staring precludes future splicing 
as detailed further below).

(*) There are recently discovered bugs in this area (that we are 
fixing), so you should not rely on this, but that is what Squid will be 
doing when those bugs are fixed. I do not recommend relying on such 
"defaults" anyway -- make sure the step after a peek or stare rule match 
has a matching rule.


> - what's the difference between peek and splice that makes it impossible 
>    (most of the time) to splice (stare) or bump (peek) the connection?

* When Squid peeks, it forwards the user agent TLS client Hello message 
to the TLS server intact. After forwarding that virgin Hello, Squid 
cannot become a part of the TLS conversation. Squid has to splice or 
terminate the connections, which are both TCP- not TLS-level operations.

* When Squid stares, Squid modifies the TLS client Hello received from 
the user agent to use Squid-specific TLS secrets and then sends the 
adapted ClientHello to the TLS server. After that, it is impossible for 
Squid to get out of the loop -- the conversation is now based on 
Squid-provided secrets. Squid has to bump or terminate the connections.


HTH,

Alex.