[squid-dev] Changed SSL bump event ordering

Mon, 18 Sep 2017 09:44:40 -0700
I'm not sure when this changed - more debugging tomorrow but I thought I'd post what I've found so far in case anyone has any input. 


When peek/splice was first introduced, as far as I remember it worked 
like this (for transparently proxied connections):


1. Connection is accepted.

2. The ssl_bump ACL is checked for step 1 (my config produces a "peek" 
result).

3. The TLS session is peeked.
4. A fake CONNECT is produced containing the host name from the peeked SNI.

5. The spoof_client_ip, http_access, adaptation_access and cache ACLs 
are checked.

7. ICAP REQMOD callout
6. The ssl_bump ACL is checked for step 2.



Testing with Squid 3.5.26, this event order has changed, moving the 
peeking process until later:


1. Connection is accepted.
2. ssl_bump ACL is checked for step 1 (returning "peek").
3. A fake CONNECT is produced containing the web server's IP address.

4. The spoof_client_ip, http_access, adaptation_access and cache ACLs 
are checked.

5. The TLS session is peeked.
6. The ssl_bump ACL is checked for step 2.
(The ICAP REQMOD callout no longer seems to happen)



This means the peeked SNI is no longer available when processing the 
majority of ACLs.  The upshot is that:
1. http_access ACL rules can only operate on the IP address, rather than 
the SNI.
2. The http_access ACL produces an HTTP response (e.g. a 302 redirect), 
Squid has to bump the connection.  Since the connection hasn't yet been 
peeked, the forged certificate contains the server's IP address rather 
than host name and the browser displays a security warning.




Looking at the code, client_side.cc:ConnStateData::fakeAConnectRequest() 
still contains the code to insert the SNI into the fake CONNECT:

    if (serverBump() && !serverBump()->clientSni.isEmpty()) {
        connectHost.assign(serverBump()->clientSni);
        if (clientConnection->local.port() > 0)
            connectHost.appendf(":%d",clientConnection->local.port());

However, this happens long before the connection is actually peeked.


I've not tested non-transparent mode yet.  Am I missing something or has 
this all changed at some point?


--
 - Steve Hill
   Technical Director
   Opendium    Online Safety / Web Filtering    http://www.opendium.com

   Enquiries                 Support
   ---------                 -------
   [email protected]        [email protected]
   +44-1792-824568           +44-1792-825748
_______________________________________________
squid-dev mailing list
[email protected]
http://lists.squid-cache.org/listinfo/squid-dev






















					Reply via email to