----- Original Message -----
> From: Alex Rousskov <[email protected]>
> To: "[email protected]" <[email protected]>
> Cc:
> Sent: Wednesday, 6 March 2013 6:20 AM
> Subject: Re: [squid-users] Bypassing SSL Bump for dstdomain
>
> On 03/04/2013 10:11 PM, Amm wrote:
>
>>> # Let user specify domains to avoid decrypting, such as internet
> banking
>>> acl bump-bypass dstdomain .commbank.com.au
>>> ssl_bump none bump-bypass
>>> ssl_bump server-first all
>
>
>> This will not work for intercepting traffic. Because domain is known
>> only after SSL connection is established. So certificate stage etc
>> has already passed.
>
> It will work but only if the reverse DNS lookup for the intercepted IP
> address works: ssl_bump supports slow ACLs, and dstdomain is a slow ACL
> if given an IP address.
As per http://www.squid-cache.org/Doc/config/acl/ its a fast ACL.
acl aclname dstdomain .foo.com ...
# Destination server from URL [fast]
Also depending on reverse lookup for bypassing ssl_bump is can be
insecure w.r.t. policy. Rare but still somewhat insecure.
>> I am also assuming that squid checks IP based ACLs for ssl_bump
>> before establishing connection with client.
>
> Squid checks all ssl_bump ACLs before establishing a TCP connection with
> the server. The TCP connection from the client is already accepted (or
> intercepted) by the time ssl_bump ACL is checked.
What I would like to know is, does squid check ssl_bump ACL before starting
SSL connection with client OR after? (for intercepting on https_port)
Otherwise ssl_bump server-first OR none feature does not help much.
Regards,
Amm.
