On 21/07/17 01:11, Mihai Ene wrote:
Hello,
I'm a developer with higher level languages experience very little
commercial c++ development on my hands.
I've been following the SslBump feature for a while now, and this
includes source code changes. SslBumping with upstream proxies was
completely restricted when bug 3209 was patched in 2011, however, I
believe the patch is too restrictive. I agree with Amos's statement that
a plaintext information leak is highly unsafe, but the patch also
prevents ssl upstream proxies usage.
Hi Mihai,
That bug was 6 years ago, and the comments were specifically about using
plain-text peer connections. The patch was made to cover all parent
peers because ...
The problem Squid still has with SSL/TLS peers is not that they leak
info (they are contacted using TLS after all). It is that explicit-TLS
proxies use their own certs instead of mimic'd ones so they present
Squid with a cert other than the origin server cert. That has
side-effects at the child proxy where bumping cannot mimic the origin
cert details, and SSL-Bump ends up presenting a clearly invalid cert
which reasonable clients reject.
In order for the bumping to work without user-visible issues at present
the best way is for the child proxy to go to its DIRECT or ORIGINAL_DST,
then get re-intercepted into the parent and re-bumped there. Such that
the parent mimics the origin cert and it gets to the child proxy, then
the client.
In order to prevent plaintext and still use upstream proxies, I propose
the following changes (tested in intranet, in production) which enable
upstream proxies after ssl bumping, as long as the proxies are ssl
themselves:
- version 4.x
https://github.com/randunel/squid4/commit/c91995833370771f9903b374f17a0d774643c2b3
- version 3.5.x
https://github.com/randunel/squid3/commit/a72a47cf0d54bf17faefcfe7692182d82d6520ab
FYI: we are now using github PR system as the only way to accept changes
to Squid.
Can you please do your submission as a PR request against the
https://github.com/squid-cache/squid repository master branch. It needs
to be accepted there before PR against the beta and stable branches code
will be considered (in that order).
Thank you
Amos
_______________________________________________
squid-dev mailing list
[email protected]
http://lists.squid-cache.org/listinfo/squid-dev
